Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Adware Returns on re-boot [RESOLVED]


  • This topic is locked This topic is locked

#1
latimer

latimer

    Member

  • Member
  • PipPip
  • 10 posts
I have scanned & cleaned system at least 10 times using MS Antispyware, Ad-Aware, S&D & Norton AV2005. Ended processes like salm.exe & EdowPack.exe. Deleted HKLM... Run for salm.exe & various random apps like zydyb. Deleted C:\Temp containing EdowPack & salm files. Each re-boot brings up an IE window at MediaTickets.t35.com/main.html with a window stating "Please hit "run" 3 times to proceed". MS Antispyware intercepts with alert that WindUpdates.MediaAccess is trying to install & I hit Remove. Once that is cleaned, the system is re-infected with salm.exe & other processes like EdowPack.exe, ShopAtHome, etc. The Temp directory is back with all the adware files and the registry has salm.exe & random.exe's in the RUN service. Here is my HijackThis log immediatly after re-booting & removing WindUpdates.MediaAccess:

Logfile of HijackThis v1.99.1
Scan saved at 3:11:07 PM, on 6/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\??crosoft.NET\taskmgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\temp\EDowPack.exe
C:\WINDOWS\system32\wuauclt.exe
c:\temp\salm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\ZipStor\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.alpineapparatus.com"); (C:\Documents and Settings\BW\Application Data\Mozilla\Profiles\default\l6r7iyel.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\BW\Application Data\Mozilla\Profiles\default\l6r7iyel.slt\prefs.js)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [zydyb] c:\windows\zydyb.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Hocxvd] C:\WINDOWS\system32\??crosoft.NET\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

What am I missing??
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi latimer

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [zydyb] c:\windows\zydyb.exe

Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
R3 - Default URLSearchHook is missing
C:\WINDOWS\system32\??crosoft.NET\taskmgr.exe
C:\temp\EDowPack.exe
c:\temp\salm.exe
C:\svchost.exe
c:\msxct.exe
c:\windows\zydyb.exe

Exit Explorer.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot as normal.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
[b]Please post the logs From Panda, Ewido and HJT.log
We will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
latimer

latimer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
:tazz:
Thanks a bunch Kc
Ran all the procedures you reccommended. Seems to be all clean. You turned me on to lots of places I would never have thought of. Did not run Trendmicro Housecall. They said I need a component -- setupex.exe that brought up the following message: C:\Windows\System32\AUTOEXEC.NT. The sysetem file is not suitable for runnning MS-DOS and Ms Windows apps. Chose close to terminate ...

I had previously given msxct.exe a pass. Fooled by that MS prefix, I guess. zydyb.exe is a random-name file that did not re-appear.

Attached is Ewido log right after the only scan; the HJT log after running all procedures and the Panda Report.

Really appreciate your attention.
Latimer

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:07:22 PM, 6/8/2005
+ Report-Checksum: 7FC75C13

+ Date of database: 6/8/2005
+ Version of scan engine: v3.0

+ Duration: 29 min
+ Scanned Files: 74933
+ Speed: 41.78 Files/Second
+ Infected files: 77
+ Removed files: 77
+ Files put in quarantine: 77
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\aaiData\RAS.exe -> Not-A-Virus.Joke.WatPor -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@www.shopathomeselect[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Local Settings\Temp\DelC0.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\BW\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar.ju -> Cleaned with backup
C:\Documents and Settings\BW\Local Settings\Temp\installer.exe -> Spyware.PurityScan.u -> Cleaned with backup
C:\Documents and Settings\BW\Local Settings\Temp\temp.frBB5B -> Spyware.IBISToolbar -> Cleaned with backup
C:\Documents and Settings\BW\Local Settings\Temporary Internet Files\Content.IE5\AN6ZMPEF\MediaAccC[1].dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\Documents and Settings\BW\Local Settings\Temporary Internet Files\Content.IE5\ULNG5CZA\nem220[1].dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\00ACEA8B-7EEE-43BD-A220-3A5326\43F58549-4693-40A5-B6DF-E263C5 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\055B9CE2-14E1-48D1-AA93-1BB365\FE8B49C7-0C29-4A07-AC73-1991AF -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\09C1FC22-3F38-4156-BC7A-0556C5\8FBF2CFA-1112-4DAB-9EB6-B6C9F4 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0DAA77BD-C208-40E1-9067-D1B6C5\1ECEE852-6E71-4038-B840-942E5F -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0DAA77BD-C208-40E1-9067-D1B6C5\4078E2F9-B2C1-4FAF-9E55-4337FE -> Spyware.WinAD -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\0A1ABC47-E9D6-4615-B1F9-741F3A -> Spyware.180solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\184582A3-8439-4E77-90F7-1B9704 -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\289A860A-ADAD-486B-9F70-02F1C3 -> Spyware.180solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\5D47E017-C552-453A-A164-D25E03 -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\83FD72B8-0D5E-4349-8B61-2AF770 -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\89A72B34-B994-4CFA-9B4D-1CB603 -> Spyware.180solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\9BF46BAF-D6E7-4C78-A784-DDA7AF -> Spyware.180solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\F4B799AC-9F46-4FED-B4AE-693861 -> Spyware.180solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\22106B10-DFB9-4632-A672-190E10\FCDED420-F286-4DE5-87B9-0C5619 -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2CACB306-880F-47FD-BC90-09A8C4\A50E1920-4715-40CA-92B0-230003 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2FA1C00A-C701-4696-BC31-B349EF\9ABBE974-F381-48AA-889A-DFD98D -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\40AD916C-1D86-4CC3-A700-19CEB2\716EB830-3DDE-4BE4-B432-298BD6 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4FFBF5F5-0E92-45CA-A630-F60943\6FA55487-7E11-445A-95D5-F9E8B0 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5284ACF2-5A82-4065-8A8C-524E6A\3258D849-703E-4FD8-86BA-66836F -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5BD2FD2A-CC4E-466D-977C-E3E8F1\F96B3B15-6CFE-4DDB-B754-FC8EBD -> Spyware.WebSearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6B010966-652B-4066-BD65-AD4640\458DAF65-51AF-4ECC-A7B4-5F7763 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7C4B1428-EF96-442A-83E5-2AB90C\DB68B663-8084-4927-80A3-662AB1 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7DAFFC26-71C1-49A3-B915-CA4399\BB8A8D2E-14E1-4327-8EBB-F18362 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\912BD228-9C00-4827-A2A0-8528DB\B190FBF9-21B1-4EB0-AFCF-B4C795 -> Spyware.180solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9D650F10-ACA5-4C7E-8123-AEDB4A\241A42E6-E420-45BC-A698-E1CB60 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AC8031CA-7881-43DF-A6DC-9B7FD0\B0EA23AA-FC40-4BDC-B6E5-1034E1 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AEF813C3-23F6-45C8-BA6E-72F80A\8ADCBDE7-4D5F-46C0-B2CA-4D6D18 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B1A56B5A-2BC7-41E6-BAF9-C745B9\C8B009BF-4B23-43EA-A4D5-8A8624 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B20A6EC1-01C8-47F0-8B2C-A9A181\2E5DCE5D-931F-4943-AB42-53CF06 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B20A6EC1-01C8-47F0-8B2C-A9A181\A6B64CF3-3B30-48C9-A629-5BC386 -> Spyware.WinAD -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C1F4DEA8-30B1-42F5-8060-B084B5\E271E42B-A014-4204-AC5C-4949A3 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C738C4C5-2F99-484C-B3E9-FD5070\6BD7C629-87F1-484F-ABBD-0BFF47 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E6304897-B252-4A7F-B866-21666A\2E5ACFDB-4FE8-428A-8EB2-D61784 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EF5CB4C2-18B8-407A-87E5-9F6922\3E658D81-FF67-41FD-9BC1-898307 -> Spyware.WinAD -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EF5CB4C2-18B8-407A-87E5-9F6922\B8178962-AAE6-4595-9482-10700E -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F045F35A-0CC0-43AB-90F6-1C2ACC\0957D9A1-170E-430A-A37A-09A2E4 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F045F35A-0CC0-43AB-90F6-1C2ACC\A9C628C5-673C-4AF3-AE46-D006E1 -> Spyware.WinAD -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F76BB380-475D-4556-9A00-60BA11\73D16E57-0FCF-4728-BC16-912136 -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Toolbar\gykhxlmu.rmr -> Spyware.IBISToolbar -> Cleaned with backup
C:\Program Files\Toolbar\radio.exe -> Spyware.WebSearch -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc282\salm.exe -> Spyware.180Solutions -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc282\salmhook.dll -> Spyware.180solutions -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc289\EDow.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc289\EDowPack.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc289\salm.exe -> Spyware.180Solutions -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc289\salmhook.dll -> Spyware.180solutions -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc291\EDow.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc291\EDowPack.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc291\salm.exe -> Spyware.180Solutions -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1618450925-1447274769-3574558766-1005\Dc291\salmhook.dll -> Spyware.180solutions -> Cleaned with backup
C:\svchost.exe -> Spyware.PurityScan -> Cleaned with backup
C:\temp\EDow.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\temp\EDowPack.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\temp\salm.exe -> Spyware.180Solutions -> Cleaned with backup
C:\temp\salmhook.dll -> Spyware.180solutions -> Cleaned with backup
C:\WINDOWS\70tovmto.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\WINDOWS\SYSTEM32\abasa5jrp.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hochkaod3.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\SYSTEM32\qh4mkbv9.dll -> Spyware.Sahat.l -> Cleaned with backup
C:\WINDOWS\u6f6uftuc.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\WINDOWS\zydyb.exe -> Spyware.180solutions -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:10:41 PM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ZipStor\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.alpineapparatus.com"); (C:\Documents and Settings\BW\Application Data\Mozilla\Profiles\default\l6r7iyel.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\BW\Application Data\Mozilla\Profiles\default\l6r7iyel.slt\prefs.js)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Hocxvd] C:\WINDOWS\system32\??crosoft.NET\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Fun & Games\Betting.lnk
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\BW\Favorites\Technology\Tech & gadgets.lnk
Spyware:Spyware/Conducent-TimesinkNo disinfected C:\Program Files\GlobalSCAPE\CuteFTP\CTInstall.exe
Adware:Adware/WinAD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\0DAA77BD-C208-40E1-9067-D1B6C5\406DB09D-7938-4DF5-9188-58E83D
Adware:Adware/WinAD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\0DAA77BD-C208-40E1-9067-D1B6C5\E1B6AA20-62B1-4084-8242-BF54F7
Adware:Adware/WinAD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B20A6EC1-01C8-47F0-8B2C-A9A181\A0AF0ADC-2910-419D-B996-08CF00
Adware:Adware/WinAD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B20A6EC1-01C8-47F0-8B2C-A9A181\FD883FC8-9673-4519-95D3-E4F755
Adware:Adware/WinAD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EF5CB4C2-18B8-407A-87E5-9F6922\1FD45F17-0254-49E2-ACA5-899BE1
Adware:Adware/WinAD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EF5CB4C2-18B8-407A-87E5-9F6922\E6060F4C-FD08-4025-A717-0B4D8D
Adware:Adware/WinAD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F045F35A-0CC0-43AB-90F6-1C2ACC\4FFA597D-0034-4EA1-A497-9F753F
Adware:Adware/WinAD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F045F35A-0CC0-43AB-90F6-1C2ACC\74B55804-C6E5-4941-91EF-9ABD46
Adware:Adware/ImGiant No disinfected C:\WINDOWS\myurlff.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\70tovmto.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\abasa5jrp.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\hochkaod3.ini
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\u6f6uftuc.ini
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe

I think this is the Panda Report. There were like 76 infections reported.
Thanks again.
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi latimer

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download CW-Shredder at the link below:
CWShredder do not run it yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

We may have to do a registery search for the left over items, but with no program to run the regkeys are useless.
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected Windows Registry


Reboot into Safe Mode: please see here if you are not sure how to do this.

C:\Program Files\joystick networks<--Delete the whole folder

C:\Program Files\Microsoft AntiSpyware\Quarantine <>-- Delete all the Quarantine items
C:\Program Files\ewido\security suite <>-- Delete all the Quarantine items

Empty your recycle bin

Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
C:\WINDOWS\unstall.exe
C:\Documents and Settings\BW\Favorites\Fun & Games\Betting.lnk
C:\Documents and Settings\BW\Favorites\Fun & Games\Betting.lnk
C:\Documents and Settings\BW\Favorites\Fun & Games\Casino Palace.lnk
C:\Documents and Settings\BW\Favorites\Fun & Games\Casino.lnk
C:\Documents and Settings\BW\Favorites\Fun & Games\Games.lnk
C:\Documents and Settings\BW\Favorites\Fun & Games\Horoscope.lnk
C:\Documents and Settings\BW\Favorites\Going Places\Air Tickets.lnk
C:\Documents and Settings\BW\Favorites\Going Places\Car Rentals.lnk
C:\Documents and Settings\BW\Favorites\Going Places\Hotel Deals.lnk
C:\Documents and Settings\BW\Favorites\Going Places\Luggage.lnk
C:\Documents and Settings\BW\Favorites\Going Places\Travel.lnk
C:\Documents and Settings\BW\Favorites\Living\Dating.lnk
C:\Documents and Settings\BW\Favorites\Living\Find a Degree.lnk
C:\Documents and Settings\BW\Favorites\Living\Find a job.lnk
C:\Documents and Settings\BW\Favorites\Living\Home.lnk
C:\Documents and Settings\BW\Favorites\Living\Insurance.lnk
C:\Documents and Settings\BW\Favorites\Shop\Auctions.lnk
C:\Documents and Settings\BW\Favorites\Shop\Books.lnk
C:\Documents and Settings\BW\Favorites\Shop\Computers.lnk
C:\Documents and Settings\BW\Favorites\Shop\Discount.lnk
C:\Documents and Settings\BW\Favorites\Shop\Flowers.lnk
C:\Documents and Settings\BW\Favorites\Shop\Golf.lnk
C:\Documents and Settings\BW\Favorites\Shop\Jewelry.lnk
C:\Documents and Settings\BW\Favorites\Shop\Movies.lnk
C:\Documents and Settings\BW\Favorites\Shop\Music.lnk
C:\Documents and Settings\BW\Favorites\Shop\Online Store.lnk
C:\Documents and Settings\BW\Favorites\Shop\Perfume.lnk
C:\Documents and Settings\BW\Favorites\Shop\Sleepwear.lnk
C:\Documents and Settings\BW\Favorites\Technology\Adware Remover.lnk
C:\Documents and Settings\BW\Favorites\Technology\Anti-Virus.lnk
C:\Documents and Settings\BW\Favorites\Technology\PC Cleaner.lnk
C:\Documents and Settings\BW\Favorites\Technology\Tech & gadgets.lnk
C:\WINDOWS\myurlff.exe
C:\WINDOWS\SYSTEM32\70tovmto.ini
C:\WINDOWS\SYSTEM32\abasa5jrp.ini
C:\WINDOWS\SYSTEM32\hochkaod3.ini
C:\WINDOWS\system32\msxct.exe
C:\windows\MSXCT1.ini
C:\windows\applog\MSXCT.lgc
C:\WINDOWS\SYSTEM32\Shex.exe
C:\WINDOWS\SYSTEM32\u6f6uftuc.ini
C:\WINDOWS\unstall.exe

C:\Program Files\GlobalSCAPE\CuteFTP\CTInstall.exe
Let the system reboot.

Run Ewido save the scan.log.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
latimer

latimer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks again Kc :tazz:
Guess I screwed up running killbox the first time as I put all file-paths in the slot together seperated by a space before hitting the red button. I did successfully delete all your listed files manually except msxct.exe, msxct1.ini and unstall.exe -- couldn't find them.

I have paid ver of GlobalSCAPE/CuteFTP, but know it downloads with the ad-supported stuff. Should I, could I delete CTInstall.exe, anyway.

Follows: Panda Report; Ewido log and HJT.log after running Panda and Ewido.

Still waiting to run Ad-Aware and CWShredder. Thanks much.


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Virus:Trj/Downloader.AZU Disinfected C:\aaiData\E-mail on 'Kj' (J)\Trash[~000361.@x@]
Virus:Trj/Downloader.AZU Disinfected C:\aaiData\E-mail on 'Kj' (J)\Trash[~000367.@x@]
Virus:Trj/Downloader.AZU Disinfected C:\aaiData\oldE-mail\Trash[~000361.@x@]
Virus:Trj/Downloader.AZU Disinfected C:\aaiData\oldE-mail\Trash[~000367.@x@]
Spyware:Spyware/Conducent-TimesinkNo disinfected C:\Program Files\GlobalSCAPE\CuteFTP\CTInstall.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:14:40 PM, 6/9/2005
+ Report-Checksum: 5651ADCB

+ Date of database: 6/9/2005
+ Version of scan engine: v3.0

+ Duration: 17 min
+ Scanned Files: 73996
+ Speed: 68.80 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\BW\Cookies\bw@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\BW\Cookies\bw@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 4:49:23 PM, on 6/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\ZipStor\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.alpineapparatus.com"); (C:\Documents and Settings\BW\Application Data\Mozilla\Profiles\default\l6r7iyel.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\BW\Application Data\Mozilla\Profiles\default\l6r7iyel.slt\prefs.js)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Hocxvd] C:\WINDOWS\system32\??crosoft.NET\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi latimer

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

C:\Program Files\GlobalSCAPE\CuteFTP\CTInstall.exe
This one is for you keep or delete if it was up to me I would uninstall the program
Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders,
C:\WINDOWS\system32\??crosoft.NET\taskmgr.exe<--The ?? this is done to stop HJT deleting the item.
delete the folder ??crosoft.net
1. Click Start > Run.
2. Type regedit

Then click OK.

3. Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"taskmgr"="%Windows%\system\taskmgr.exe"
5. Navigate to the key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms
6. In the right pane, delete the value:
"AskUser"="0"
7. Naviage to the key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
8. In the right pane, delete the value:
"UseFormSuggest"="no"
9. Navigate to the key:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
10. In the right page, modify the value:
Windows 95/98/Me:
"(Default)"="WINDOWS\NOTEPAD.EXE %1"
Windows NT/2000/XP:
(Default)"="%SystemRoot%\system32\NOTEPAD.EXE %1
11. Exit the Registry Editor.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\aaiData\E-mail on 'Kj' (J)\Trash[~000361.@x@]
C:\aaiData\E-mail on 'Kj' (J)\Trash[~000367.@x@]
C:\aaiData\oldE-mail\Trash[~000361.@x@]
C:\aaiData\oldE-mail\Trash[~000367.@x@]
Let the system reboot.

Run the Panda scan again and post the Panda and HJT log's

Kc :tazz:
  • 0

#7
latimer

latimer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
:tazz:
Hi Kc
I think you got me a clean system! I removed CTInstall, but have to keep CuteFTP which we use to maintain our web-site.

Here's the Panda Scan & HJT log. I searched the Registry for Adware:Adware/Save Now & Adware/SaveNow and could not find.

Thanks a bunch.
Latimer

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry


Logfile of HijackThis v1.99.1
Scan saved at 1:33:25 PM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\ZipStor\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.alpineapparatus.com"); (C:\Documents and Settings\BW\Application Data\Mozilla\Profiles\default\l6r7iyel.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\BW\Application Data\Mozilla\Profiles\default\l6r7iyel.slt\prefs.js)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi latimer

Congratulations! Your system is CLEAN ;)

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.
SpyBot Search & Destroy v1.3
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Have a nice Day.

Kc :tazz:
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP