Several days ago my computer became infected -- kudos to me for having out-of-date virus definitions. Anyway, I've followed the procedure outlined in the instructions and have eliminated (possibly) a number of elements of a multifaceted infection, possibly with the help of AVG Free Edition and ewida, which I did not have previously. But the popups from loadingwebsite.com persist.
Just ran ewida and Hijack This moments ago, in that order. The logs:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:04:45 PM, 7/30/2005
+ Report-Checksum: 9505FCB5
+ Scan result:
HKU\S-1-5-21-1767564884-3321060216-1441386327-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1767564884-3321060216-1441386327-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1767564884-3321060216-1441386327-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
[1580] C:\WINNT\system32\mnxml2r.dll -> Spyware.Look2Me : Error during cleaning
[1716] C:\WINNT\system32\wqerror.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Casinolasvegas : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@casinolasvegas[1].txt -> Spyware.Cookie.Casinolasvegas : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\owner@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\RECYCLER\S-1-5-21-1767564884-3321060216-1441386327-1003\Dc40\seng.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP29\A0003670.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004004.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004005.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004006.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004007.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004008.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004009.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004010.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004011.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004012.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004013.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004014.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004015.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004016.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004017.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004230.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP32\A0004286.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP33\A0004525.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP34\A0005376.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP34\A0005377.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP34\A0005378.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP34\A0005379.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP34\A0005380.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP34\A0005405.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP34\A0005428.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP34\A0005550.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP35\A0005600.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP35\A0005626.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP35\A0005627.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP35\A0005629.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP35\A0005630.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP37\A0005643.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\dtmap.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\wqerror.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\wyp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\Temp\180sainstallersca.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\Temp\Cookies\owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINNT\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINNT\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\WINNT\Temp\Cookies\owner@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINNT\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 10:05:26 PM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.109.40.210:80
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\mnxml2r.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe