Justin, Thank you for the instructions. I notice that IE properties, privacy, settings no longer has the ip address or neededware listed as allowed sites. Since I still see new desktop icons appearing, we are probably not done yet.... (the new one is called "welcome" from www.consumeralertsystem.com) <--also found by activescan.
First the Ewido log (realize that I did a full scan cleanup yesterday with Ewido, so the files found today were generated today:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:10:11 PM, 8/9/2005
+ Report-Checksum: 57262519
+ Scan result:
C:\WINDOWS\system32\ccbqacc.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\eerckee.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
::Report End
Next Activescan:
Incident Status Location
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Adware:adware/popuper No disinfected C:\Documents and Settings\All Users\Desktop\Spyware Removal.url
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\mablindman\Application Data\Sskcwrd.dll
Adware:adware/superspider No disinfected C:\Documents and Settings\mablindman\Favorites\Online Dating.url
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\mablindman\SSK3_B5 Verticlick 8.exe
Virus:Bck/Sdbot.gen Disinfected C:\Documents and Settings\rikki.MARKSPC\My Documents\bestfriends.scr
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\rimq\rimqd\rimqc.dll
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\a.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bs.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\du.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dx.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\i.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\j.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\p.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\q.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\s.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\t.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\u.class
Adware:Adware/PortalScan No disinfected C:\temporary\install113.exe
Adware:adware/portalscan No disinfected C:\WINDOWS\bundles\2504040901.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/Neededware No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\EPXActiveX.ocx
Adware:Adware/Neededware No disinfected C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Adware:adware/gator No disinfected C:\WINDOWS\GatorPdpPlugin.log
Virus:Trj/Multidropper.AM Disinfected C:\WINDOWS\system32\0021-bdl94126.EXE
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\p2psetup.exe
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MB8C4Y9R\p2psetup[1].exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TMXN2UVD\WebRebates_Auto_InstallSilent[1].exe
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UILCMRH8\p2psetup[1].exe
Adware:Adware/BrilliantDigitalNo disinfected C:\WINDOWS\system32\dman4.dll
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\system32\exclean.exe
Virus:Trj/Agent.ADY Disinfected C:\WINDOWS\system32\okuqet.exe
Adware:adware/virmaid No disinfected C:\WINDOWS\system32\perfcii.ini
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\r?gsvr32.exe
Adware:adware/powersearch No disinfected C:\WINDOWS\system32\stlb2.xml
Adware:adware/sqwire No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/Winstat No disinfected C:\WINDOWS\system32\WinStat13.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.exe
Adware:Adware/Imibar No disinfected C:\WINDOWS\ttext.dll
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Finally HiJackThis: (I did not delete 015 needwareentry yesterdaY, si I am not surprised it showed up again.
Logfile of HijackThis v1.99.1
Scan saved at 7:21:39 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\okuqet.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\Popupscn.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mablindman\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchmiracle.com/sp.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.qfind.net/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.qfind.net/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.qfind.net/search.php?qq=%sR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.qfind.net/R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://searchmiracle.com/sp.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.qfind.net/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\PROGRA~1\PANICW~1\POP-UP~2\Popupscn.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [okuqet] C:\WINDOWS\system32\okuqet.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {ED9AE050-C0B7-45CC-A50B-39C2DA78401B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ED9AE050-C0B7-45CC-A50B-39C2DA78401B} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone:
http://www.neededware.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....467&clcid=0x409O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) -
http://www.icannnews.../ST/ActiveX.ocxO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...b?1117282792436O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)