Thanks Again! Seems to be OK
Logfile of HijackThis v1.99.1
Scan saved at 4:07:08 PM, on 7/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.emachines.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.emachines.com/O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://by106fd.bay10...es/MsnPUpld.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pDownloader.cabO16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
http://cdn.digitalci...illama/ampx.cabO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 5:56:54 AM, 7/17/2005
+ Report-Checksum: 43A2D47E
+ Scan result:
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\MT83UH25\MediaTicketsInstaller[1].cab/MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Ignored
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\NFVVRWHD\c1=001&c2=000&c3=000&c4=000&c5=000&c6=000&c7=000&c8=000&c9=000&c10=999&c11=999&c12=000&z1=0000000[1].htm -> Spyware.BookedSpace : Ignored
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\QFO3MH87\site=cs&pagepos=100&page=confirmation&adsize=1x1&context=generic&Params[1].htm -> Spyware.BookedSpace : Ignored
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\QFO3MH87\site=cs&pagepos=100&rstid=337&brand=citysearch&state=NY&city=ithaca&adsize=1x1&market_id=44&Params[1].htm -> Spyware.BookedSpace : Ignored
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
C:\Documents and Settings\Atomic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-3ea1b0d-11dc7638.zip/Gummy.class -> Trojan.Java.Femad : Error during cleaning
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\01QFSHIV\input[2].php -> Not-A-Virus.Exploit.HTML.DragDrop : Cleaned with backup
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\41UBQVG9\bridge-c1[1].cab/bridge.dll -> TrojanSpy.Briss.f : Error during cleaning
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\833BI0X1\0,1-00,chicken_wings,FF[1].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\833BI0X1\0,1-00,chicken_wings,FF[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\833BI0X1\0,1839,132191-246195,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\G9OVW7WV\traf_mktplc_popunder[1].js -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\GFTJAQNP\secure[1].php -> TrojanDownloader.Psyme.i : Cleaned with backup
C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\KVHW1S92\mov06[1].exe -> TrojanDropper.Small.acb : Cleaned with backup
C:\Program Files\LeapFTP\Backup\LeapFTP.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\LeapFTP\LeapFTP.exe -> Heuristic.Win32.Dialer : Cleaned with backup
::Report End
Panda
Incident Status Location
Spyware:spyware/bridge No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Atomic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-608aac2a-41b54288.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Atomic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-3ea1b0d-11dc7638.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Atomic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv609.jar-19b4a454-194bb205.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Atomic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv609.jar-19b4a454-194bb205.zip[Matrix.class]
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\01QFSHIV\myform9[1].php
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\01QFSHIV\toolbar1[1].htm
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\01QFSHIV\toolbar2[1].htm
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\2Q6H1LWU\prompt[1].htm
Spyware:Spyware/Bridge No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\41UBQVG9\bridge-c1[1].cab[bridge.dll]
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\67QV0JSP\CA8LUFGH.HTM
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\839JEA71\prompt[1].htm
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\EHSJADSH\x2[1].htm
Virus:VBS/Psyme.gen Disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\FAKN7L41\load-pop[1].htm
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\JVL7RT0W\CAANIFM1.HTM
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\JVL7RT0W\get[1].htm
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\JVL7RT0W\get[2].htm
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\JVL7RT0W\get[3].htm
Adware:Adware/StartPage.gen No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\MT1MZU1S\fav[1].exe
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\MT83UH25\CATK8FH9.HTM
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\MT83UH25\MediaTicketsInstaller[1].cab
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\MT83UH25\MediaTicketsInstaller[1].cab[MediaTicketsInstaller.ocx]
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\MT83UH25\MediaTicketsInstaller[1].cab[MediaTicketsInstaller.INF]
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\S9GN4VYV\CACP8P0R.HTM
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Atomic\Local Settings\Temporary Internet Files\Content.IE5\S9GN4VYV\CASH2JOP.HTM
Possible Virus. No disinfected C:\Program Files\Picasa\pinstall.dll