That doesn't sound good!
Was that what you were hoping for?
Problems with winfixer/nail/abi/aurora, etc [RESOLVED]
Started by
abbytheroad
, Aug 06 2005 08:10 PM
-
This topic is locked
#16
Posted 10 August 2005 - 12:55 PM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
That doesn't sound good!
Was that what you were hoping for?
#17
Posted 10 August 2005 - 01:00 PM
Rawe
-
- Member
-
- 4,746 posts
Visiting Staff
Ok, run HiJackThis and check the following object for removal;
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE
Then make sure only HiJackThis is running (Close any other open windows) - "Fix Checked".
Exit HiJackThis.
Delete the following file;
C:\WINDOWS\system32\m190309.EXE
Empty your recycle bin.
Reboot. This SHOULD be done, but I just want to make sure. Please post a fresh HiJackThis log along with this log from this online scan;
Panda Activescan
We'll just clear up what's left if any.
- Rawe
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE
Then make sure only HiJackThis is running (Close any other open windows) - "Fix Checked".
Exit HiJackThis.
Delete the following file;
C:\WINDOWS\system32\m190309.EXE
Empty your recycle bin.
Reboot. This SHOULD be done, but I just want to make sure. Please post a fresh HiJackThis log along with this log from this online scan;
Panda Activescan
We'll just clear up what's left if any.
- Rawe
#18
Posted 10 August 2005 - 02:44 PM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
Ok I deleted it from the Hijackthis scan, but could not find it on my computer otherwise... I scanned with Panda activescan and these are the results:
Incident Status Location
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\Searchx.htm
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM\UpdInstall.exe
Adware:adware/portalscan No disinfected C:\WINDOWS\BUNDLES\2504040824.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay
Adware:adware/searchrelevancy No disinfected C:\PROGRAM FILES\SearchRelevant
Adware:adware/tvmedia No disinfected C:\WINDOWS\bundles
Adware:adware/consumeralertsystemNo disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Linda Appling\Desktop\Unused Desktop Shortcuts\l2mfix\backup.zip[xSctsrv.dll]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Linda Appling\Desktop\Unused Desktop Shortcuts\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Linda Appling\Desktop\Unused Desktop Shortcuts\l2mfix.exe[Process.exe]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D73C81F9-830B-4D31-96CD-072E31\B574C207-632A-4675-9883-60EF40
Adware:Adware/WUpd No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP369\A0116439.exe
Adware:Adware/SearchBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP373\A0116605.DLL
Adware:Adware/P2PNetworking No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\A0116744.cpl
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP383\A0123585.inf
Adware:Adware/MBKWBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP383\A0123612.exe
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128890.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128892.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128940.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128951.DLL
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128957.dll
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128961.exe
Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\bundles\setup_silent_17123.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\bi6.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\kjmtfafo.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
And here is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 4:41:29 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelp...ad/tgctlins.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...allNetscape.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
And winfixer and other strange pop ups are still making me close all browser windows often.
Incident Status Location
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\Searchx.htm
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM\UpdInstall.exe
Adware:adware/portalscan No disinfected C:\WINDOWS\BUNDLES\2504040824.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay
Adware:adware/searchrelevancy No disinfected C:\PROGRAM FILES\SearchRelevant
Adware:adware/tvmedia No disinfected C:\WINDOWS\bundles
Adware:adware/consumeralertsystemNo disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Linda Appling\Desktop\Unused Desktop Shortcuts\l2mfix\backup.zip[xSctsrv.dll]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Linda Appling\Desktop\Unused Desktop Shortcuts\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Linda Appling\Desktop\Unused Desktop Shortcuts\l2mfix.exe[Process.exe]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D73C81F9-830B-4D31-96CD-072E31\B574C207-632A-4675-9883-60EF40
Adware:Adware/WUpd No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP369\A0116439.exe
Adware:Adware/SearchBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP373\A0116605.DLL
Adware:Adware/P2PNetworking No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\A0116744.cpl
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP383\A0123585.inf
Adware:Adware/MBKWBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP383\A0123612.exe
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128890.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128892.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128940.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128951.DLL
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128957.dll
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0128961.exe
Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\bundles\setup_silent_17123.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\bi6.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\kjmtfafo.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
And here is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 4:41:29 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelp...ad/tgctlins.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...allNetscape.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
And winfixer and other strange pop ups are still making me close all browser windows often.
#19
Posted 10 August 2005 - 02:56 PM
Rawe
-
- Member
-
- 4,746 posts
Visiting Staff
Ok, let's get this pest over with ! 
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.
Next, can you locate the following folder and delete it's content only, not the folder itself;
C:\Program Files\Microsoft AntiSpyware\Quarantine\
Then, delete the following files/folders if present;
C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
C:\WINDOWS\SYSTEM32\Searchx.htm
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM\UpdInstall.exe
C:\WINDOWS\BUNDLES\2504040824.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\woinstall.exe
C:\PROGRAM FILES\MyWay <= Entire Folder
C:\PROGRAM FILES\SearchRelevant <= Entire Folder
C:\WINDOWS\bundles <= Entire Folder
C:\WINDOWS\INF\bi6.inf
C:\WINDOWS\SYSTEM32\kjmtfafo.dll
C:\WINDOWS\SYSTEM32\Shex.exe
When finished deleting;
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
Disable System Restore;
1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once at Safe Mode, launch SpySweeper;
Enable System Restore;
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".
System Restore will now be active again.
Be sure to set a new restore point.
After that, post the SpySweeper log here along with a fresh HiJackThis log.
Also let me know how things went.
- Rawe
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.
Next, can you locate the following folder and delete it's content only, not the folder itself;
C:\Program Files\Microsoft AntiSpyware\Quarantine\
Then, delete the following files/folders if present;
C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
C:\WINDOWS\SYSTEM32\Searchx.htm
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM\UpdInstall.exe
C:\WINDOWS\BUNDLES\2504040824.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\woinstall.exe
C:\PROGRAM FILES\MyWay <= Entire Folder
C:\PROGRAM FILES\SearchRelevant <= Entire Folder
C:\WINDOWS\bundles <= Entire Folder
C:\WINDOWS\INF\bi6.inf
C:\WINDOWS\SYSTEM32\kjmtfafo.dll
C:\WINDOWS\SYSTEM32\Shex.exe
When finished deleting;
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
- Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
- Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directoy as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
- Once the program is installed, it will open.
- It will prompt you to update to the latest definitions, click Yes.
Disable SpySweeper Shields[list] - Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
- Once the definitions are installed and shields disabled, exit SpySweeper.
Disable System Restore;
1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once at Safe Mode, launch SpySweeper;
- Click Sweep Now on the left side.
- Click the Start button.
- When it's done scanning, click the Next button.
- Make sure everything has a check next to it, then click the Next button.
- It will remove all of the items found.
- Click Session Log in the upper right corner, copy everything in that window.
- Click the Summary tab and click Finish.
- Paste the contents of the session log you copied into your next reply.
Enable System Restore;
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".
System Restore will now be active again.
Be sure to set a new restore point.After that, post the SpySweeper log here along with a fresh HiJackThis log.
Also let me know how things went.
- Rawe
#20
Posted 10 August 2005 - 03:04 PM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
One question. What is the easiest way to find/open these files and delete the contents. I only know to search by name and go from there. Is there another place to go that doesn't include a search?
"Next, can you locate the following folder and delete it's content only, not the folder itself;
C:\Program Files\Microsoft AntiSpyware\Quarantine\"
That is probably a dumb question. But I had to ask.
BTW the settings for hidden files and such are as they should be.
And when I searched for that folder, 7 came up, all empty. Was that the contents of the folder? Why wouldn't the folder just come up?
"Next, can you locate the following folder and delete it's content only, not the folder itself;
C:\Program Files\Microsoft AntiSpyware\Quarantine\"
That is probably a dumb question. But I had to ask.
BTW the settings for hidden files and such are as they should be.
And when I searched for that folder, 7 came up, all empty. Was that the contents of the folder? Why wouldn't the folder just come up?
#21
Posted 10 August 2005 - 03:18 PM
Rawe
-
- Member
-
- 4,746 posts
Visiting Staff
Click -> Start -> My Computer -> and go to C:\ -drive. Choose Program Files. Then look for Microsoft AntiSpyware - folder. Double-click it, choose the folder for "Quarantine" and delete everything inside it.
Hope this helps.
- Rawe
Hope this helps.
- Rawe
#22
Posted 10 August 2005 - 03:47 PM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
Alright. I managed everything up until I tried to disable system restore. I unchecked it, and clicked apply. Then it froze. So I couldn't click ok afterwards. It was "not responding" so I ended it. Now I don't know if it is working or not, because I can't seem to be able to open up the properties of my computer where I originally found it. How do I know if it is working or not?
#23
Posted 10 August 2005 - 04:32 PM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
Ok well system restore was turned off, and I rebooted in safe mode. I ran the scan and saved the results, rebooted in normal mode, and enabled system restore. I have not set a new restore point, any suggestions on that?
Here is the log from that sweeper scan:
6:09 PM: |··· Start of Session, Wednesday, August 10, 2005 ···|
6:09 PM: Spy Sweeper started
6:09 PM: Sweep initiated using definitions version 492
6:09 PM: Starting Memory Sweep
6:10 PM: Memory Sweep Complete, Elapsed Time: 00:00:37
6:10 PM: Starting Registry Sweep
6:10 PM: Found Adware: bookedspace
6:10 PM: HKLM\software\configuration manager\cfgmgr52\ (356 subtraces) (ID = 650537)
6:10 PM: Found Adware: browseraid
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\a70f6a1d-0195-42a2-934c-d8ac0f7c08eb\ (1 subtraces) (ID = 650796)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\a70f6a1d-0195-42a2-934c-d8ac0f7c08eb\ (1 subtraces) (ID = 650796)
6:10 PM: Found Adware: cydoor peer-to-peer dependency
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\kazaa\promotions\cydoor\ (16 subtraces) (ID = 670237)
6:10 PM: Found Adware: ebates money maker
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 671297)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 671297)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 671299)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\menuext\ebates\ (2 subtraces) (ID = 671300)
6:10 PM: Found Adware: ieplugin
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\dsktb\ (6 subtraces) (ID = 673825)
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\enhsrch\ (42 subtraces) (ID = 673826)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\enhsrch\ (15 subtraces) (ID = 673826)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\intexp\ (46 subtraces) (ID = 673827)
6:10 PM: HKLM\software\microsoft\code store database\distribution units\{886dde35-e955-11d0-a707-000000521958}\ (11 subtraces) (ID = 673830)
6:10 PM: Found Adware: drsnsrch.com hijacker
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\microsoft\search assistant\ || defaultsearchurl (ID = 673859)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 673866)
6:10 PM: Found Adware: ietoolbar
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\mbkwbar\ (11 subtraces) (ID = 673902)
6:10 PM: HKLM\software\mbkwbar\ (1 subtraces) (ID = 673903)
6:10 PM: Found Adware: instafinder
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\instafink\ (21 subtraces) (ID = 674328)
6:10 PM: Found Adware: interads
6:10 PM: HKLM\software\interads\ (38349 subtraces) (ID = 674511)
6:10 PM: Found Adware: lopdotcom
6:10 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || aida (ID = 676154)
6:10 PM: Found Adware: 180search assistant
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\180solutions\ (ID = 681215)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\msbb\ (11 subtraces) (ID = 681376)
6:10 PM: Found Adware: redzip toolbar
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\dsktb\ (6 subtraces) (ID = 684769)
6:10 PM: Found Adware: search-exe hijacker
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\search\ || searchassistant (ID = 686369)
6:10 PM: Found Adware: searchrelevancy
6:10 PM: HKCR\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 686704)
6:10 PM: HKLM\software\classes\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 686707)
6:10 PM: HKLM\software\classes\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 686709)
6:10 PM: HKLM\software\classes\updater.bho\ (5 subtraces) (ID = 686711)
6:10 PM: HKCR\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 686716)
6:10 PM: HKCR\updater.bho\ (5 subtraces) (ID = 686717)
6:10 PM: Found Adware: searchtoolbar
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 686768)
6:10 PM: Found Adware: seekseek.com hijacker
6:10 PM: HKLM\software\microsoft\internet explorer\search\ || search assistant (ID = 686991)
6:10 PM: Found Adware: spad
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\microsoft\internet explorer\menuext\shorten url\ (1 subtraces) (ID = 687310)
6:10 PM: Found Adware: upspiral toolbar
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\dsktb\ (6 subtraces) (ID = 690865)
6:10 PM: Found Adware: abetterinternet
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || au3n5a7tionscode (ID = 691235)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aub3d5om (ID = 691236)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || auc1o3d5eofsfinalad (ID = 691237)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || auc3n5tfyl (ID = 691238)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || auc3n5trmsgsdisp (ID = 691239)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || auc3u5rrentsmode (ID = 691240)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aud3s5tssend (ID = 691241)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aue3v5nt (ID = 691242)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3d5ofsinst (ID = 691243)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3g5nores (ID = 691244)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3n5progscab (ID = 691245)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3n5progsex (ID = 691246)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3n5progslstest (ID = 691247)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aul3n5title (ID = 691248)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aum3o5dessync (ID = 691249)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aup3d5om (ID = 691250)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5atusofsinst (ID = 691251)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5icky1s (ID = 691252)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5icky2s (ID = 691253)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5icky3s (ID = 691254)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5icky4s (ID = 691255)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3h5rshsbath (ID = 691256)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3h5rshschecksin (ID = 691257)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3h5rshsmots (ID = 691258)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3h5rshsyssinf (ID = 691259)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3i5m7eofsfinalad (ID = 691260)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\dlmax\ (29 subtraces) (ID = 691330)
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\microsoft\internet explorer\explorer bars\{30d02401-6a81-11d0-8274-00c04fd5ae38}\ (1 subtraces) (ID = 691337)
6:10 PM: Found Adware: webrebates
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 691724)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\menuext\ebates\ (2 subtraces) (ID = 691725)
6:10 PM: Found Adware: websearch toolbar
6:10 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 691950)
6:10 PM: Registry Sweep Complete, Elapsed Time:00:00:09
6:10 PM: Starting Cookie Sweep
6:10 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:10 PM: Starting File Sweep
6:11 PM: Found System Monitor: networkessentials
6:11 PM: c:\program files\support software (ID = 602549)
6:11 PM: Found Adware: sidesearch
6:11 PM: c:\documents and settings\ryan appling\application data\lycos (2 subtraces) (ID = 607936)
6:12 PM: lycos sidesearch.lnk (ID = 607914)
6:13 PM: Found Adware: addestroyer
6:13 PM: inneradinstall.log (ID = 579440)
6:13 PM: Found Trojan Horse: 2nd-thought
6:13 PM: second thought.lnk (ID = 578597)
6:13 PM: Found Adware: zestyfind desktop links
6:13 PM: iconz2.exe (ID = 623434)
6:13 PM: mbkwnst.exe (ID = 594479)
6:13 PM: second thought.lnk (ID = 578597)
6:14 PM: mypcsearch.lnk (ID = 578576)
6:14 PM: mypcsearch.lnk (ID = 578576)
6:14 PM: Found Adware: golden palace casino
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: ncaseinstaller.inf (ID = 602003)
6:14 PM: mbkwnst.inf (ID = 594481)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: File Sweep Complete, Elapsed Time: 00:04:03
6:14 PM: Full Sweep has completed. Elapsed time 00:04:58
6:14 PM: Traces Found: 39088
6:15 PM: Removal process initiated
6:15 PM: Quarantining All Traces: bookedspace
6:15 PM: Quarantining All Traces: browseraid
6:16 PM: Quarantining All Traces: cydoor peer-to-peer dependency
6:16 PM: Quarantining All Traces: ebates money maker
6:16 PM: Quarantining All Traces: ieplugin
6:16 PM: Quarantining All Traces: drsnsrch.com hijacker
6:16 PM: Quarantining All Traces: ietoolbar
6:16 PM: Quarantining All Traces: instafinder
6:16 PM: Quarantining All Traces: interads
6:16 PM: Quarantining All Traces: lopdotcom
6:17 PM: Quarantining All Traces: 180search assistant
6:17 PM: Quarantining All Traces: redzip toolbar
6:17 PM: Quarantining All Traces: search-exe hijacker
6:17 PM: Quarantining All Traces: searchrelevancy
6:17 PM: Quarantining All Traces: searchtoolbar
6:17 PM: Quarantining All Traces: seekseek.com hijacker
6:17 PM: Quarantining All Traces: spad
6:17 PM: Quarantining All Traces: upspiral toolbar
6:17 PM: Quarantining All Traces: abetterinternet
6:18 PM: Quarantining All Traces: webrebates
6:18 PM: Quarantining All Traces: websearch toolbar
6:18 PM: Quarantining All Traces: networkessentials
6:18 PM: Quarantining All Traces: sidesearch
6:18 PM: Quarantining All Traces: addestroyer
6:18 PM: Quarantining All Traces: 2nd-thought
6:18 PM: Quarantining All Traces: zestyfind desktop links
6:19 PM: Quarantining All Traces: golden palace casino
6:19 PM: Removal process completed. Elapsed time 00:03:27
********
5:33 PM: |··· Start of Session, Wednesday, August 10, 2005 ···|
5:33 PM: Spy Sweeper started
6:09 PM: Program Version 4.0.4 (Build 430) Using Spyware Definitions 492
6:09 PM: |··· End of Session, Wednesday, August 10, 2005 ···|
I deleted the quarantined things, after it asked me if I wanted to.
And here is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 6:31:23 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelp...ad/tgctlins.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...allNetscape.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
How's it lookin'?
Are we making headway?
Here is the log from that sweeper scan:
6:09 PM: |··· Start of Session, Wednesday, August 10, 2005 ···|
6:09 PM: Spy Sweeper started
6:09 PM: Sweep initiated using definitions version 492
6:09 PM: Starting Memory Sweep
6:10 PM: Memory Sweep Complete, Elapsed Time: 00:00:37
6:10 PM: Starting Registry Sweep
6:10 PM: Found Adware: bookedspace
6:10 PM: HKLM\software\configuration manager\cfgmgr52\ (356 subtraces) (ID = 650537)
6:10 PM: Found Adware: browseraid
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\a70f6a1d-0195-42a2-934c-d8ac0f7c08eb\ (1 subtraces) (ID = 650796)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\a70f6a1d-0195-42a2-934c-d8ac0f7c08eb\ (1 subtraces) (ID = 650796)
6:10 PM: Found Adware: cydoor peer-to-peer dependency
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\kazaa\promotions\cydoor\ (16 subtraces) (ID = 670237)
6:10 PM: Found Adware: ebates money maker
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 671297)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 671297)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 671299)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\menuext\ebates\ (2 subtraces) (ID = 671300)
6:10 PM: Found Adware: ieplugin
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\dsktb\ (6 subtraces) (ID = 673825)
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\enhsrch\ (42 subtraces) (ID = 673826)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\enhsrch\ (15 subtraces) (ID = 673826)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\intexp\ (46 subtraces) (ID = 673827)
6:10 PM: HKLM\software\microsoft\code store database\distribution units\{886dde35-e955-11d0-a707-000000521958}\ (11 subtraces) (ID = 673830)
6:10 PM: Found Adware: drsnsrch.com hijacker
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\microsoft\search assistant\ || defaultsearchurl (ID = 673859)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 673866)
6:10 PM: Found Adware: ietoolbar
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\mbkwbar\ (11 subtraces) (ID = 673902)
6:10 PM: HKLM\software\mbkwbar\ (1 subtraces) (ID = 673903)
6:10 PM: Found Adware: instafinder
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\instafink\ (21 subtraces) (ID = 674328)
6:10 PM: Found Adware: interads
6:10 PM: HKLM\software\interads\ (38349 subtraces) (ID = 674511)
6:10 PM: Found Adware: lopdotcom
6:10 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || aida (ID = 676154)
6:10 PM: Found Adware: 180search assistant
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\180solutions\ (ID = 681215)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\msbb\ (11 subtraces) (ID = 681376)
6:10 PM: Found Adware: redzip toolbar
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\dsktb\ (6 subtraces) (ID = 684769)
6:10 PM: Found Adware: search-exe hijacker
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\search\ || searchassistant (ID = 686369)
6:10 PM: Found Adware: searchrelevancy
6:10 PM: HKCR\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 686704)
6:10 PM: HKLM\software\classes\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 686707)
6:10 PM: HKLM\software\classes\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 686709)
6:10 PM: HKLM\software\classes\updater.bho\ (5 subtraces) (ID = 686711)
6:10 PM: HKCR\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 686716)
6:10 PM: HKCR\updater.bho\ (5 subtraces) (ID = 686717)
6:10 PM: Found Adware: searchtoolbar
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 686768)
6:10 PM: Found Adware: seekseek.com hijacker
6:10 PM: HKLM\software\microsoft\internet explorer\search\ || search assistant (ID = 686991)
6:10 PM: Found Adware: spad
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\microsoft\internet explorer\menuext\shorten url\ (1 subtraces) (ID = 687310)
6:10 PM: Found Adware: upspiral toolbar
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\dsktb\ (6 subtraces) (ID = 690865)
6:10 PM: Found Adware: abetterinternet
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || au3n5a7tionscode (ID = 691235)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aub3d5om (ID = 691236)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || auc1o3d5eofsfinalad (ID = 691237)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || auc3n5tfyl (ID = 691238)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || auc3n5trmsgsdisp (ID = 691239)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || auc3u5rrentsmode (ID = 691240)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aud3s5tssend (ID = 691241)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aue3v5nt (ID = 691242)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3d5ofsinst (ID = 691243)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3g5nores (ID = 691244)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3n5progscab (ID = 691245)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3n5progsex (ID = 691246)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aui3n5progslstest (ID = 691247)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aul3n5title (ID = 691248)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aum3o5dessync (ID = 691249)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aup3d5om (ID = 691250)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5atusofsinst (ID = 691251)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5icky1s (ID = 691252)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5icky2s (ID = 691253)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5icky3s (ID = 691254)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aus3t5icky4s (ID = 691255)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3h5rshsbath (ID = 691256)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3h5rshschecksin (ID = 691257)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3h5rshsmots (ID = 691258)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3h5rshsyssinf (ID = 691259)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\aurora\ || aut3i5m7eofsfinalad (ID = 691260)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\dlmax\ (29 subtraces) (ID = 691330)
6:10 PM: HKU\S-1-5-21-1486576457-3194440861-1434820424-1008\software\microsoft\internet explorer\explorer bars\{30d02401-6a81-11d0-8274-00c04fd5ae38}\ (1 subtraces) (ID = 691337)
6:10 PM: Found Adware: webrebates
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 691724)
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1486576457-3194440861-1434820424-1009\software\microsoft\internet explorer\menuext\ebates\ (2 subtraces) (ID = 691725)
6:10 PM: Found Adware: websearch toolbar
6:10 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 691950)
6:10 PM: Registry Sweep Complete, Elapsed Time:00:00:09
6:10 PM: Starting Cookie Sweep
6:10 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:10 PM: Starting File Sweep
6:11 PM: Found System Monitor: networkessentials
6:11 PM: c:\program files\support software (ID = 602549)
6:11 PM: Found Adware: sidesearch
6:11 PM: c:\documents and settings\ryan appling\application data\lycos (2 subtraces) (ID = 607936)
6:12 PM: lycos sidesearch.lnk (ID = 607914)
6:13 PM: Found Adware: addestroyer
6:13 PM: inneradinstall.log (ID = 579440)
6:13 PM: Found Trojan Horse: 2nd-thought
6:13 PM: second thought.lnk (ID = 578597)
6:13 PM: Found Adware: zestyfind desktop links
6:13 PM: iconz2.exe (ID = 623434)
6:13 PM: mbkwnst.exe (ID = 594479)
6:13 PM: second thought.lnk (ID = 578597)
6:14 PM: mypcsearch.lnk (ID = 578576)
6:14 PM: mypcsearch.lnk (ID = 578576)
6:14 PM: Found Adware: golden palace casino
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: ncaseinstaller.inf (ID = 602003)
6:14 PM: mbkwnst.inf (ID = 594481)
6:14 PM: best casino. $200 signup bonus!.url (ID = 592786)
6:14 PM: File Sweep Complete, Elapsed Time: 00:04:03
6:14 PM: Full Sweep has completed. Elapsed time 00:04:58
6:14 PM: Traces Found: 39088
6:15 PM: Removal process initiated
6:15 PM: Quarantining All Traces: bookedspace
6:15 PM: Quarantining All Traces: browseraid
6:16 PM: Quarantining All Traces: cydoor peer-to-peer dependency
6:16 PM: Quarantining All Traces: ebates money maker
6:16 PM: Quarantining All Traces: ieplugin
6:16 PM: Quarantining All Traces: drsnsrch.com hijacker
6:16 PM: Quarantining All Traces: ietoolbar
6:16 PM: Quarantining All Traces: instafinder
6:16 PM: Quarantining All Traces: interads
6:16 PM: Quarantining All Traces: lopdotcom
6:17 PM: Quarantining All Traces: 180search assistant
6:17 PM: Quarantining All Traces: redzip toolbar
6:17 PM: Quarantining All Traces: search-exe hijacker
6:17 PM: Quarantining All Traces: searchrelevancy
6:17 PM: Quarantining All Traces: searchtoolbar
6:17 PM: Quarantining All Traces: seekseek.com hijacker
6:17 PM: Quarantining All Traces: spad
6:17 PM: Quarantining All Traces: upspiral toolbar
6:17 PM: Quarantining All Traces: abetterinternet
6:18 PM: Quarantining All Traces: webrebates
6:18 PM: Quarantining All Traces: websearch toolbar
6:18 PM: Quarantining All Traces: networkessentials
6:18 PM: Quarantining All Traces: sidesearch
6:18 PM: Quarantining All Traces: addestroyer
6:18 PM: Quarantining All Traces: 2nd-thought
6:18 PM: Quarantining All Traces: zestyfind desktop links
6:19 PM: Quarantining All Traces: golden palace casino
6:19 PM: Removal process completed. Elapsed time 00:03:27
********
5:33 PM: |··· Start of Session, Wednesday, August 10, 2005 ···|
5:33 PM: Spy Sweeper started
6:09 PM: Program Version 4.0.4 (Build 430) Using Spyware Definitions 492
6:09 PM: |··· End of Session, Wednesday, August 10, 2005 ···|
I deleted the quarantined things, after it asked me if I wanted to.
And here is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 6:31:23 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelp...ad/tgctlins.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...allNetscape.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
How's it lookin'?
Are we making headway?
#24
Posted 11 August 2005 - 01:09 AM
Rawe
-
- Member
-
- 4,746 posts
Visiting Staff
Yes, we are!
How is your system running? Any particular problems?
Can you yet AGAIN post me a fresh Panda log to look at?
- Rawe
How is your system running? Any particular problems?
Can you yet AGAIN post me a fresh Panda log to look at?
- Rawe
#25
Posted 11 August 2005 - 08:37 AM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
Glad to know we're getting somewhere. That is good news. Now the bad news... I cannot get Panda activescan to work. It wasn't doing anything at all, so I deleted it, and tried to reinstall it, but it was going to take 1350 seconds, as opposed to the 30 seconds it took the first time, and after 20 minutes, it was to be 1500 seconds. Then it froze. I don't think I can get a scan from it. Any other scans I can do??
#26
Posted 11 August 2005 - 08:44 AM
Rawe
-
- Member
-
- 4,746 posts
Visiting Staff
Ok, let's try few scans then.
Can you first click "Start" -> "Microsoft Update". Or might be WindowsUpdate.
Check your current critical updates situation.. If there is any critical updates available for windows, install them and reboot.
If there isn't any,
do the following (And if there was, do this after the reboot anyway);
Run this online scan;
Trend Micro
Use the "Auto-clean" option and let it fix anything it can. Post me the results to your next reply.
Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
Finally, click "Start", Run and type in; MRT
Click "Ok". When the window pops up, click "Next". It will scan - let me know of the results.
Post me the TrendMicro anti-spyware log, log from the TrendMicro online scan as well as a fresh HiJackThis log.
Let me know if the Windows Malicious Software Removal tool found anything too.
- Rawe
Can you first click "Start" -> "Microsoft Update". Or might be WindowsUpdate.
Check your current critical updates situation.. If there is any critical updates available for windows, install them and reboot.
If there isn't any,
do the following (And if there was, do this after the reboot anyway);
Run this online scan;
Trend Micro
Use the "Auto-clean" option and let it fix anything it can. Post me the results to your next reply.
Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
- Save it to your desktop.
- Double-click the new icon on your desktop (tmas-web-scan.exe)
- It will say "Loading TrendMicro definitions".
- Once the definitions are loaded, the program will appear to close then re-open.
- Click "Start Scan"
- After it's done scanning, click "Scan Results"
- Make sure all items found have a check next to them, then click "Clean Threats Now".
- Click Exit.
Finally, click "Start", Run and type in; MRT
Click "Ok". When the window pops up, click "Next". It will scan - let me know of the results.
Post me the TrendMicro anti-spyware log, log from the TrendMicro online scan as well as a fresh HiJackThis log.
Let me know if the Windows Malicious Software Removal tool found anything too.
- Rawe
#27
Posted 11 August 2005 - 10:22 AM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
Well so far, I have the current updates for Windows. And I scanned with the Trend Micro Housecall, though the delete button is unusable to me, and it won't let me clean the single infection it found because I don't have a "ticket code." I scrolled to see the entire name of the trojan found. What I can see is,
C:\Documents and Settings\Linda Appling\Desktop\Unused DesktopShortcuts\
l2mfix\backup.zip (xSctsrv.dll,)
And the virus is: TROJ_VLINCE.A (1)
I am going to scan with "Trend Micro™ Anti-Spyware for the Web Utility" now. I will post all the results you requested when it's finished.
C:\Documents and Settings\Linda Appling\Desktop\Unused DesktopShortcuts\
l2mfix\backup.zip (xSctsrv.dll,)
And the virus is: TROJ_VLINCE.A (1)
I am going to scan with "Trend Micro™ Anti-Spyware for the Web Utility" now. I will post all the results you requested when it's finished.
#28
Posted 11 August 2005 - 10:47 AM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
Ok let's see. This is the log from the second scan:
Started Scanning
Internet Cookies
Found '2o7.net' in 'Internet Explorer Cache'
Found 'ads.pointroll.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\AppConf'
Found 'confset' in 'Software\AppConf'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
The MRT detected zero threats.
And here is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12:44:41 PM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelp...ad/tgctlins.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...allNetscape.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
What might I be able to do with that trojan found?? (in my previous post)
Started Scanning
Internet Cookies
Found '2o7.net' in 'Internet Explorer Cache'
Found 'ads.pointroll.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\AppConf'
Found 'confset' in 'Software\AppConf'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
The MRT detected zero threats.
And here is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12:44:41 PM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelp...ad/tgctlins.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...allNetscape.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
What might I be able to do with that trojan found?? (in my previous post)
#29
Posted 11 August 2005 - 11:26 AM
Rawe
-
- Member
-
- 4,746 posts
Visiting Staff
It's just an backup from the L2M infection we cleaned.
Delete this zip.file;
C:\Documents and Settings\Linda Appling\Desktop\Unused DesktopShortcuts\
l2mfix\backup.zip
Empty recycle bin.
Do you still have problems?
- Rawe
Delete this zip.file;
C:\Documents and Settings\Linda Appling\Desktop\Unused DesktopShortcuts\
l2mfix\backup.zip
Empty recycle bin.
Do you still have problems?
- Rawe
#30
Posted 11 August 2005 - 11:36 AM
abbytheroad
- Topic Starter
-
- Member
-
- 39 posts
Member
Things are looking much better. Is that all then? My logs looked clean?
Thank you very much. I really appreciate your help. If things seem fixed to you, then I suppose we are finished. I haven't seen winfixer lately, or the strange pop ups. If there is anything else you need to see, let me know. Otherwise, have a wonderful day. Thanks, again.
~Abby
Thank you very much. I really appreciate your help. If things seem fixed to you, then I suppose we are finished. I haven't seen winfixer lately, or the strange pop ups. If there is anything else you need to see, let me know. Otherwise, have a wonderful day. Thanks, again.
~Abby
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
