Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Got a PUP? Cannot be deleted or fixed [CLOSED]

Started by cbt131 , Aug 05 2005 10:57 PM

  • This topic is locked This topic is locked

#1
cbt131
Posted 05 August 2005 - 10:57 PM

cbt131

    Member

  • Member
  • PipPip
  • 41 posts
Help, I have a Pup : Adware Portal Scan.
McAfee cannot remove it, even though it has tried.
Here's my Hijack,
thanks
Cheryl



Logfile of HijackThis v1.99.1
Scan saved at 11:56:13 PM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Franklin Covey\Planner\planner.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\QUICKENW\qw.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cheryl Tasciotti\Desktop\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Cheryl Tasciotti\Local Settings\Temporary Internet Files\Content.IE5\QTBWTWJA\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

Advertisements

#2
Michelle
Posted 06 August 2005 - 12:29 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go, Cheryl!

I don't see anything suspicious in your HJT log. Let's see about finding the PUP to which McAfee is referring :tazz:

First, download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, if it does go ahead and reboot.

Then, please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here.
  • 0

#3
cbt131
Posted 07 August 2005 - 08:58 AM

cbt131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Ran Cleanup, thanks, Here's Hijack this log,
Thanks,
Cheryl



Logfile of HijackThis v1.99.1
Scan saved at 9:56:35 AM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cheryl Tasciotti\Local Settings\Temporary Internet Files\Content.IE5\QTBWTWJA\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#4
Michelle
Posted 07 August 2005 - 10:09 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please follow the rest of the instructions in my previous post. (Run ActiveScan, save the log and post it here).
  • 0

#5
cbt131
Posted 07 August 2005 - 04:47 PM

cbt131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Results of Active scan,
Thanks, Cheryl

Incident Status Location

Adware:adware/delfinmedia No disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/browseraid No disinfected C:\WINDOWS\mwsvm.dat
Spyware:spyware/clearsearch No disinfected C:\PROGRAM FILES\ClearSearch
Adware:adware/funweb No disinfected C:\PROGRAM FILES\FunWebProducts
Adware:adware/xupiter No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\remove_tools.html
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\updater\data1.dat
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\updater\data2.dat
Adware:Adware/FunWeb No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP765\A0057191.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/PortalScan No disinfected C:\WINDOWS\mwsvm.bin
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM32\pcs\init.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM32\pcs\pcsvcAccess.ocx
  • 0

#6
Michelle
Posted 07 August 2005 - 05:07 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\PROGRAM FILES\COMMON FILES\remove_tools.html
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\mwsvm.dat
C:\PROGRAM FILES\ClearSearch
C:\PROGRAM FILES\FunWebProducts
C:\Program Files\Common Files\updater\data1.dat
C:\Program Files\Common Files\updater\data2.dat
C:\WINDOWS\mwsvm.bin
C:\WINDOWS\SYSTEM32\pcs\init.dll
C:\WINDOWS\SYSTEM32\pcs\pcsvcAccess.ocx
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP765\A0057191.inf

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, delete the following folders, if found:

C:\WINDOWS\SYSTEM32\pcs
C:\Program Files\Common Files\updater
C:\PROGRAM FILES\ClearSearch
C:\PROGRAM FILES\FunWebProducts

Open HijackThis.
  • Click Open Misc Tools section
  • Click Open Uninstall Manager
  • Click Save List - Save it anywhere.
  • A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Edited by bananafanafo, 07 August 2005 - 05:09 PM.

  • 0

#7
cbt131
Posted 08 August 2005 - 08:32 PM

cbt131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Is this what you wanted, your directions on the last post left me a bit confused, anyway here is the latest hijack this after doing the Killbox.
Cheryl




Logfile of HijackThis v1.99.1
Scan saved at 9:27:34 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Cheryl Tasciotti\Desktop\HijackThis One.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#8
Michelle
Posted 08 August 2005 - 08:48 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Which instructions confused you? The ones after Killbox?

Open HiJackThis.
Click on "None of the above just start the program"
Click on the "Config" button (bottom right)
Click "Misc Tools"
Click "Open Uninstall Manager"
Click "Save List" - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.
  • 0

#9
cbt131
Posted 09 August 2005 - 07:53 PM

cbt131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
thanks,
C.

2004 Dallas SG on CD
Active Disk
Ad-aware 6 Personal
Adobe Acrobat 4.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0
AOL Instant Messenger
Broadcom Management Programs
CleanUp!
Conexant D850 56K V.9x DFVc Modem
Conexant SmartHSFi V92 56K DF PCI Modem
DAO
Data Access Objects (DAO) 3.0
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Dell Support 5.0.0 (734)
Digital Line Detect
EarthLink Setup Files
Easy CD Creator 5 Basic
exPressit S.E. 2.1
Fotki XP Publishing Wizard
FranklinCovey Planning Software
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
hp instant support
hp officejet k series
Intel® Extreme Graphics Driver
IomegaWare 4.0.2
iPod Update 2004-04-28
iTunes
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.2_06
McAfee SecurityCenter
McAfee VirusScan
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office Standard Edition 2003
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Windows Journal Viewer
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MUSICMATCH® Jukebox
NetWaiting
Ofoto Easy Upload ActiveX Control
Paint Shop Pro 7
Panda ActiveScan
PGate Basic
Quicken 2005
QuickTime
RealPlayer
Rio Internet Update
Rio Music Manager
Rio Taxi
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Shockwave
Spybot - Search & Destroy 1.2
SpywareBlaster v2.6.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Helper
Window Search
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPatrol
  • 0

#10
Michelle
Posted 09 August 2005 - 07:59 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

Advertisements

#11
cbt131
Posted 11 August 2005 - 06:56 PM

cbt131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Sessions log posted as follows BUT now I have a problem because the Spy Sweeper said:

: "Spy sweeper successfully removed a known IE hijacker. If it seems your IE ssettings such as your home page or searching capabilities have not improved, follow these steps to fix the issue:
1) Click Shields
2) Click IE tab
3) Click reset IE page settings to Defaults

Then I did the above instructions because I thought I read it said to do it , not IF the settings have not improved , and NOW I keep getting a window that says my HOSTs settings were changed. Also, my McAfee icon shows disabled, it is now black even though McAfee is running according to the Security center.
I am posting the 2nd spy sweeper as well, after IE settings were restored to defaults. Also am posting HOSTS notepad.

What should I do?

********
First spy sweeper session
6:59 PM: |··· Start of Session, Thursday, August 11, 2005 ···|
6:59 PM: Spy Sweeper started
6:59 PM: Sweep initiated using definitions version 514
6:59 PM: Starting Memory Sweep
7:06 PM: Memory Sweep Complete, Elapsed Time: 00:06:50
7:06 PM: Starting Registry Sweep
7:06 PM: Found Trojan Horse: 2nd-thought
7:06 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
7:06 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
7:06 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
7:06 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
7:06 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
7:06 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
7:06 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
7:06 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
7:07 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
7:07 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
7:07 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
7:07 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
7:07 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
7:07 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
7:07 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
7:07 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
7:07 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
7:07 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
7:07 PM: Found Adware: addestroyer
7:07 PM: HKCR\clsid\{417386c3-8d4a-4611-9b91-e57e89d603ac}\ (13 subtraces) (ID = 102728)
7:07 PM: HKCR\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}\ (13 subtraces) (ID = 102729)
7:07 PM: HKCR\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 102730)
7:07 PM: HKCR\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102732)
7:07 PM: HKCR\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 102733)
7:07 PM: HKCR\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102734)
7:07 PM: HKCR\popoops2.popoops\ (3 subtraces) (ID = 102735)
7:07 PM: HKCR\swlad1.swlad\ (3 subtraces) (ID = 102736)
7:07 PM: HKLM\software\classes\clsid\{417386c3-8d4a-4611-9b91-e57e89d603ac}\ (13 subtraces) (ID = 102737)
7:07 PM: HKLM\software\classes\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}\ (13 subtraces) (ID = 102738)
7:07 PM: HKLM\software\classes\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 102739)
7:07 PM: HKLM\software\classes\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102741)
7:07 PM: HKLM\software\classes\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 102742)
7:07 PM: HKLM\software\classes\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102743)
7:07 PM: HKLM\software\classes\popoops2.popoops\ (3 subtraces) (ID = 102744)
7:07 PM: HKLM\software\classes\swlad1.swlad\ (3 subtraces) (ID = 102745)
7:07 PM: HKLM\software\classes\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (9 subtraces) (ID = 102746)
7:07 PM: HKLM\software\classes\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102747)
7:07 PM: HKCR\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (9 subtraces) (ID = 102750)
7:07 PM: HKCR\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102751)
7:07 PM: Found Adware: delfin
7:07 PM: HKCR\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865}\ (3 subtraces) (ID = 124837)
7:07 PM: HKCR\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839}\ (21 subtraces) (ID = 124838)
7:07 PM: HKCR\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}\ (8 subtraces) (ID = 124839)
7:07 PM: HKCR\interface\{41700749-a109-4254-af13-be54011e8783}\ (8 subtraces) (ID = 124840)
7:07 PM: HKLM\software\classes\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865}\ (3 subtraces) (ID = 124841)
7:07 PM: HKLM\software\classes\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839}\ (21 subtraces) (ID = 124842)
7:07 PM: HKLM\software\classes\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}\ (8 subtraces) (ID = 124843)
7:07 PM: HKLM\software\classes\interface\{41700749-a109-4254-af13-be54011e8783}\ (8 subtraces) (ID = 124844)
7:07 PM: HKLM\software\classes\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}\ (9 subtraces) (ID = 124845)
7:07 PM: HKLM\software\classes\vccpgdataaccess.pgdataaccessctrl.1\ (3 subtraces) (ID = 124846)
7:07 PM: HKLM\software\microsoft\windows\currentversion\uninstall\pgate\ (2 subtraces) (ID = 124881)
7:07 PM: HKU\S-1-5-21-1948358126-1296844153-3270823822-1006\software\pcsv\ (5 subtraces) (ID = 124887)
7:07 PM: HKLM\software\pcsv\ (6 subtraces) (ID = 124888)
7:07 PM: HKCR\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}\ (9 subtraces) (ID = 124899)
7:07 PM: HKCR\vccpgdataaccess.pgdataaccessctrl.1\ (3 subtraces) (ID = 124900)
7:08 PM: Found Adware: squire webhelper
7:08 PM: HKCR\typelib\{805af2c8-98c7-4f3c-a7c9-25ebf27567f3}\ (9 subtraces) (ID = 142155)
7:08 PM: HKLM\software\classes\typelib\{805af2c8-98c7-4f3c-a7c9-25ebf27567f3}\ (9 subtraces) (ID = 142176)
7:08 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sqwire\ (2 subtraces) (ID = 142190)
7:08 PM: Found Adware: websearch toolbar
7:08 PM: HKLM\software\microsoft\windows\currentversion\installer\userdata\aui\ (1 subtraces) (ID = 146479)
7:08 PM: HKCR\popoops2.popoops\ (3 subtraces) (ID = 466854)
7:08 PM: HKCR\popoops2.popoops\ (3 subtraces) (ID = 466855)
7:08 PM: HKCR\popoops2.popoops\clsid\ (1 subtraces) (ID = 466856)
7:08 PM: HKLM\software\classes\popoops2.popoops\ (3 subtraces) (ID = 466858)
7:08 PM: HKLM\software\classes\popoops2.popoops\ (3 subtraces) (ID = 466859)
7:08 PM: HKLM\software\classes\popoops2.popoops\clsid\ (1 subtraces) (ID = 466860)
7:08 PM: Registry Sweep Complete, Elapsed Time:00:01:17
7:08 PM: Starting Cookie Sweep
7:08 PM: Found Spy Cookie: websponsors cookie
7:08 PM: cheryl [email protected][2].txt (ID = 3665)
7:08 PM: Found Spy Cookie: yieldmanager cookie
7:08 PM: cheryl [email protected][2].txt (ID = 3751)
7:08 PM: Found Spy Cookie: specificclick.com cookie
7:08 PM: cheryl [email protected][2].txt (ID = 3400)
7:08 PM: Found Spy Cookie: adrevolver cookie
7:08 PM: cheryl tasciotti@adrevolver[1].txt (ID = 2088)
7:08 PM: cheryl tasciotti@adrevolver[3].txt (ID = 2088)
7:08 PM: Found Spy Cookie: belointeractive cookie
7:08 PM: cheryl [email protected][2].txt (ID = 2295)
7:08 PM: Found Spy Cookie: falkag cookie
7:08 PM: cheryl [email protected][2].txt (ID = 2650)
7:08 PM: Found Spy Cookie: ask cookie
7:08 PM: cheryl tasciotti@ask[1].txt (ID = 2245)
7:08 PM: Found Spy Cookie: atwola cookie
7:08 PM: cheryl tasciotti@atwola[1].txt (ID = 2255)
7:08 PM: Found Spy Cookie: bannerspace cookie
7:08 PM: cheryl tasciotti@bannerspace[1].txt (ID = 2284)
7:08 PM: Found Spy Cookie: banner cookie
7:08 PM: cheryl tasciotti@banner[1].txt (ID = 2276)
7:08 PM: cheryl tasciotti@belointeractive[1].txt (ID = 2294)
7:08 PM: Found Spy Cookie: bs.serving-sys cookie
7:08 PM: cheryl [email protected][1].txt (ID = 2330)
7:08 PM: Found Spy Cookie: burstnet cookie
7:08 PM: cheryl tasciotti@burstnet[1].txt (ID = 2336)
7:08 PM: Found Spy Cookie: zedo cookie
7:08 PM: cheryl [email protected][1].txt (ID = 3763)
7:08 PM: cheryl [email protected][1].txt (ID = 2295)
7:08 PM: Found Spy Cookie: iwon cookie
7:08 PM: cheryl tasciotti@iwon[2].txt (ID = 2883)
7:08 PM: Found Spy Cookie: serving-sys cookie
7:08 PM: cheryl tasciotti@serving-sys[2].txt (ID = 3343)
7:08 PM: cheryl tasciotti@zedo[2].txt (ID = 3762)
7:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
7:08 PM: Starting File Sweep
7:08 PM: c:\program files\common files\dpi (ID = -2147481129)
7:08 PM: c:\documents and settings\all users\application data\pcsvc (19 subtraces) (ID = -2147481135)
7:08 PM: Found Adware: clearsearch
7:08 PM: c:\program files\clearsearch (1 subtraces) (ID = -2147481257)
7:08 PM: Found Adware: keenvalue/perfectnav
7:08 PM: c:\program files\common files\updater (ID = -2147480788)
7:08 PM: c:\windows\system32\pcs (1 subtraces) (ID = -2147481121)
7:08 PM: Found Adware: apropos
7:08 PM: c:\program files\sysai (ID = -2147481417)
7:08 PM: Found Adware: targetsoft
7:08 PM: c:\program files\target soft (1 subtraces) (ID = -2147480166)
7:09 PM: Found Adware: keyhost hijacker - jraun
7:09 PM: keyactivextest.ocx (ID = 65153)
7:09 PM: ink_inkline023-t.dfn (ID = 57718)
7:09 PM: delfinst.ebd (ID = 57692)
7:09 PM: delfintg.ebd (ID = 57693)
7:09 PM: delfinlo.ebd (ID = 57687)
7:10 PM: Found Adware: mindset interactive - favoriteman
7:10 PM: vg.dat (ID = 69877)
7:11 PM: Found Adware: seekseek
7:11 PM: urls.bin (ID = 75334)
7:14 PM: vurls.bin (ID = 75336)
7:15 PM: delfinco.edx (ID = 57682)
7:15 PM: Found Adware: iwon
7:15 PM: i1initialsetup1.0.0.5.inf (ID = 64798)
7:15 PM: Found Adware: abetterinternet
7:15 PM: thin.inf (ID = 83583)
7:15 PM: delfinld.edx (ID = 57682)
7:15 PM: delfinsi.edx (ID = 57691)
7:15 PM: delfinky.edx (ID = 57685)
7:16 PM: File Sweep Complete, Elapsed Time: 00:07:43
7:16 PM: Full Sweep has completed. Elapsed time 00:16:09
7:16 PM: Traces Found: 569
7:51 PM: Removal process initiated
7:52 PM: Quarantining All Traces: 2nd-thought
7:52 PM: Quarantining All Traces: addestroyer
7:52 PM: Quarantining All Traces: delfin
7:52 PM: Quarantining All Traces: squire webhelper
7:52 PM: Quarantining All Traces: websearch toolbar
7:52 PM: Quarantining All Traces: websponsors cookie
7:52 PM: Quarantining All Traces: yieldmanager cookie
7:52 PM: Quarantining All Traces: specificclick.com cookie
7:52 PM: Quarantining All Traces: adrevolver cookie
7:52 PM: Quarantining All Traces: belointeractive cookie
7:52 PM: Quarantining All Traces: falkag cookie
7:52 PM: Quarantining All Traces: ask cookie
7:52 PM: Quarantining All Traces: atwola cookie
7:52 PM: Quarantining All Traces: bannerspace cookie
7:52 PM: Quarantining All Traces: banner cookie
7:52 PM: Quarantining All Traces: bs.serving-sys cookie
7:52 PM: Quarantining All Traces: burstnet cookie
7:52 PM: Quarantining All Traces: zedo cookie
7:52 PM: Quarantining All Traces: iwon cookie
7:52 PM: Quarantining All Traces: serving-sys cookie
7:52 PM: Quarantining All Traces: clearsearch
7:52 PM: Quarantining All Traces: keenvalue/perfectnav
7:52 PM: Quarantining All Traces: apropos
7:52 PM: Quarantining All Traces: targetsoft
7:52 PM: Quarantining All Traces: keyhost hijacker - jraun
7:52 PM: Quarantining All Traces: mindset interactive - favoriteman
7:52 PM: Quarantining All Traces: seekseek
7:52 PM: Quarantining All Traces: iwon
7:52 PM: Quarantining All Traces: abetterinternet
7:54 PM: Removal process completed. Elapsed time 00:02:33
********



Second Spy sweeper session
********
8:51 PM: |··· Start of Session, Thursday, August 11, 2005 ···|
8:51 PM: Spy Sweeper started
8:51 PM: Sweep initiated using definitions version 514
8:51 PM: Starting Memory Sweep
8:57 PM: Memory Sweep Complete, Elapsed Time: 00:05:47
8:57 PM: Starting Registry Sweep
8:57 PM: Found Trojan Horse: 2nd-thought
8:57 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
8:57 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
8:57 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
8:57 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
8:57 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
8:57 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
8:57 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
8:57 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
8:57 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
8:57 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
8:57 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
8:57 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
8:57 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
8:57 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
8:57 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
8:57 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
8:57 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
8:57 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
8:57 PM: Found Adware: addestroyer
8:57 PM: HKCR\clsid\{417386c3-8d4a-4611-9b91-e57e89d603ac}\ (13 subtraces) (ID = 102728)
8:57 PM: HKCR\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}\ (13 subtraces) (ID = 102729)
8:57 PM: HKCR\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 102730)
8:57 PM: HKCR\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102732)
8:57 PM: HKCR\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 102733)
8:57 PM: HKCR\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102734)
8:57 PM: HKCR\popoops2.popoops\ (3 subtraces) (ID = 102735)
8:57 PM: HKCR\swlad1.swlad\ (3 subtraces) (ID = 102736)
8:57 PM: HKLM\software\classes\clsid\{417386c3-8d4a-4611-9b91-e57e89d603ac}\ (13 subtraces) (ID = 102737)
8:57 PM: HKLM\software\classes\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}\ (13 subtraces) (ID = 102738)
8:57 PM: HKLM\software\classes\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 102739)
8:57 PM: HKLM\software\classes\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102741)
8:57 PM: HKLM\software\classes\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 102742)
8:57 PM: HKLM\software\classes\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102743)
8:57 PM: HKLM\software\classes\popoops2.popoops\ (3 subtraces) (ID = 102744)
8:57 PM: HKLM\software\classes\swlad1.swlad\ (3 subtraces) (ID = 102745)
8:57 PM: HKLM\software\classes\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (9 subtraces) (ID = 102746)
8:57 PM: HKLM\software\classes\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102747)
8:57 PM: HKCR\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (9 subtraces) (ID = 102750)
8:57 PM: HKCR\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102751)
8:57 PM: Found Adware: delfin
8:57 PM: HKCR\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865}\ (3 subtraces) (ID = 124837)
8:57 PM: HKCR\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839}\ (21 subtraces) (ID = 124838)
8:57 PM: HKCR\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}\ (8 subtraces) (ID = 124839)
8:57 PM: HKCR\interface\{41700749-a109-4254-af13-be54011e8783}\ (8 subtraces) (ID = 124840)
8:57 PM: HKLM\software\classes\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865}\ (3 subtraces) (ID = 124841)
8:57 PM: HKLM\software\classes\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839}\ (21 subtraces) (ID = 124842)
8:57 PM: HKLM\software\classes\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}\ (8 subtraces) (ID = 124843)
8:57 PM: HKLM\software\classes\interface\{41700749-a109-4254-af13-be54011e8783}\ (8 subtraces) (ID = 124844)
8:57 PM: HKLM\software\classes\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}\ (9 subtraces) (ID = 124845)
8:57 PM: HKLM\software\classes\vccpgdataaccess.pgdataaccessctrl.1\ (3 subtraces) (ID = 124846)
8:57 PM: HKLM\software\microsoft\windows\currentversion\uninstall\pgate\ (2 subtraces) (ID = 124881)
8:57 PM: HKU\S-1-5-21-1948358126-1296844153-3270823822-1006\software\pcsv\ (5 subtraces) (ID = 124887)
8:57 PM: HKLM\software\pcsv\ (6 subtraces) (ID = 124888)
8:57 PM: HKCR\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}\ (9 subtraces) (ID = 124899)
8:57 PM: HKCR\vccpgdataaccess.pgdataaccessctrl.1\ (3 subtraces) (ID = 124900)
8:57 PM: Found Adware: squire webhelper
8:57 PM: HKCR\typelib\{805af2c8-98c7-4f3c-a7c9-25ebf27567f3}\ (9 subtraces) (ID = 142155)
8:57 PM: HKLM\software\classes\typelib\{805af2c8-98c7-4f3c-a7c9-25ebf27567f3}\ (9 subtraces) (ID = 142176)
8:57 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sqwire\ (2 subtraces) (ID = 142190)
8:57 PM: Found Adware: websearch toolbar
8:57 PM: HKLM\software\microsoft\windows\currentversion\installer\userdata\aui\ (1 subtraces) (ID = 146479)
8:57 PM: HKCR\popoops2.popoops\ (3 subtraces) (ID = 466854)
8:57 PM: HKCR\popoops2.popoops\ (3 subtraces) (ID = 466855)
8:57 PM: HKCR\popoops2.popoops\clsid\ (1 subtraces) (ID = 466856)
8:57 PM: HKLM\software\classes\popoops2.popoops\ (3 subtraces) (ID = 466858)
8:57 PM: HKLM\software\classes\popoops2.popoops\ (3 subtraces) (ID = 466859)
8:57 PM: HKLM\software\classes\popoops2.popoops\clsid\ (1 subtraces) (ID = 466860)
8:58 PM: Registry Sweep Complete, Elapsed Time:00:00:37
8:58 PM: Starting Cookie Sweep
8:58 PM: Found Spy Cookie: yieldmanager cookie
8:58 PM: cheryl [email protected][1].txt (ID = 3751)
8:58 PM: Found Spy Cookie: adrevolver cookie
8:58 PM: cheryl tasciotti@adrevolver[2].txt (ID = 2088)
8:58 PM: cheryl tasciotti@adrevolver[3].txt (ID = 2088)
8:58 PM: Found Spy Cookie: belointeractive cookie
8:58 PM: cheryl [email protected][2].txt (ID = 2295)
8:58 PM: Found Spy Cookie: atwola cookie
8:58 PM: cheryl tasciotti@atwola[1].txt (ID = 2255)
8:58 PM: cheryl tasciotti@belointeractive[1].txt (ID = 2294)
8:58 PM: Found Spy Cookie: bs.serving-sys cookie
8:58 PM: cheryl [email protected][1].txt (ID = 2330)
8:58 PM: Found Spy Cookie: adjuggler cookie
8:58 PM: cheryl [email protected][1].txt (ID = 2071)
8:58 PM: Found Spy Cookie: serving-sys cookie
8:58 PM: cheryl tasciotti@serving-sys[2].txt (ID = 3343)
8:58 PM: cheryl [email protected][2].txt (ID = 2295)
8:58 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:58 PM: Starting File Sweep
8:58 PM: Found Adware: targetsoft
8:58 PM: c:\program files\target soft (1 subtraces) (ID = -2147480166)
8:58 PM: c:\windows\system32\pcs (ID = -2147481121)
8:58 PM: Found Adware: apropos
8:58 PM: c:\program files\sysai (ID = -2147481417)
8:58 PM: Found Adware: keenvalue/perfectnav
8:58 PM: c:\program files\common files\updater (ID = -2147480788)
8:58 PM: c:\documents and settings\all users\application data\pcsvc (1 subtraces) (ID = -2147481135)
8:58 PM: Found Adware: clearsearch
8:58 PM: c:\program files\clearsearch (ID = -2147481257)
8:58 PM: c:\program files\common files\dpi (ID = -2147481129)
9:04 PM: File Sweep Complete, Elapsed Time: 00:06:26
9:04 PM: Full Sweep has completed. Elapsed time 00:13:06
9:04 PM: Traces Found: 526
9:18 PM: Removal process initiated
9:18 PM: Quarantining All Traces: 2nd-thought
9:18 PM: Quarantining All Traces: addestroyer
9:18 PM: Quarantining All Traces: delfin
9:18 PM: Quarantining All Traces: squire webhelper
9:18 PM: Quarantining All Traces: websearch toolbar
9:18 PM: Quarantining All Traces: yieldmanager cookie
9:18 PM: Quarantining All Traces: adrevolver cookie
9:18 PM: Quarantining All Traces: belointeractive cookie
9:18 PM: Quarantining All Traces: atwola cookie
9:18 PM: Quarantining All Traces: bs.serving-sys cookie
9:18 PM: Quarantining All Traces: adjuggler cookie
9:18 PM: Quarantining All Traces: serving-sys cookie
9:18 PM: Quarantining All Traces: targetsoft
9:18 PM: Quarantining All Traces: apropos
9:18 PM: Quarantining All Traces: keenvalue/perfectnav
9:18 PM: Quarantining All Traces: clearsearch
9:20 PM: Removal process completed. Elapsed time 00:02:54
********

HOSTS Notepad
# Copyright © 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

Edited by cbt131, 11 August 2005 - 08:38 PM.

  • 0

#12
Michelle
Posted 11 August 2005 - 10:49 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Try not to worry, we will get it sorted, I need to see a new HiJackThis log.
  • 0

#13
cbt131
Posted 12 August 2005 - 05:17 AM

cbt131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
New Hijack this log:

Reinstalled McAfee and it is working fine now.

Thanks again,
Cheryl


Logfile of HijackThis v1.99.1
Scan saved at 6:16:04 AM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Franklin Covey\Planner\planner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cheryl Tasciotti\Desktop\HijackThis One.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Edited by cbt131, 12 August 2005 - 05:18 AM.

  • 0

#14
Michelle
Posted 12 August 2005 - 11:33 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Your log looks fine :tazz:

Let's restore your original host - if mcafee complains about it, ignore it:

Download the Hoster.
  • Unzip Hoster to a convenient folder such as C:\Hoster.
  • Run Hoster.exe from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Original Hosts and then click OK.
  • Click the X to exit the program.
Are you having any other problems?
  • 0

#15
cbt131
Posted 13 August 2005 - 10:30 AM

cbt131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I haven't done the reinstall original HOSTS yet because since I got home from work yesterday, I haven't seen that "HOSTS was changed" message displayed.

Wondering if I should do it anyway,?
thanks
Cheryl
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP