Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

fake windows security system popups [RESOLVED]

Started by daveski , Aug 19 2005 09:14 AM

  • This topic is locked This topic is locked

#1
daveski
Posted 19 August 2005 - 09:14 AM

daveski

    Member

  • Member
  • PipPip
  • 46 posts
ok so basically a little while ago my computer decided to allow loads of nasty malware onto itself (i blame my sister and her complete ineptitude, but ho hum). got rid of most of it with a little help from ad-aware and friends, but there's three things that won't go away so easily

1. most common this one, it's the

"Your computer might be at risk

- Your virus protection status is bad
- Spyware activity detected

Click this baloon to fix the problem"

pop up "baloon" thing in the bottom right hand corner, tries to look like it's all microsofty , but then microsoft wouldn't go "got spyware? download this off some non-microsoft company!", plus they can probably spell too. seen a couple of people with this problem here, so i'm sure one of you has an idea on the matter

2. not so frequent is the

"WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

Do you want to learn how to protect your computer?"

box popping up, claiming to be from microsoft security centre, and simply isn't, taking you to some rubbish search website. now, this MAY have gone, i did all the stuff in the "read this first" thread and since all that i haven't seen it again, but then i've not used the computer much, so it could just be waiting for an opportune moment to annoy me. fingers crossed anyway.

3. seemingly every day now that i load up firefox mcafee pops up and says it's deleted something, and going to the log file says it's

C:\WINDOWS\system32\rdsndin.exe Spy-Agent.i

it doesn't come up with it again whilst on the computer at all, and when restarting just before posting this it didn't come up afterwards, simply seems to be every day the first time i use firefox. no such problems afaik with ie or the browser in aol

now as i said i did all the ad-aware, spybot, ewido, that online scan and all the like, and these three obnoxiously seem to have slipped through the net, so it's hijackthis time.

Logfile of HijackThis v1.99.1
Scan saved at 15:58:40, on 19/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AOL9~1.0\waol.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\PROGRA~1\AOL9~1.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\Nick\Desktop\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [srbho] FLKPT.exe
O4 - HKLM\..\Run: [Bogobot] teqq32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121207548687
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20708039-23CE-4191-BB2A-846547F7919C}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5496C6A1-2B3B-42E3-A6AB-8FAECFF848F0}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2DD37CF-3FAB-4EC4-B681-B4F61F0B9E95}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

and this is the log that came out of the ewido virus scanner when i did it, seemed to enjoy itself too

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:55:13, 18/08/2005
+ Report-Checksum: 2FBC0E3D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{F8B44545-C2E0-46C3-B78B-11E821C9D2E1} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{159C2806-4A71-45B4-8D4E-74C181CD6842} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{28E4193C-F276-4568-BCDC-DD15D88FADCC} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6B1BE803-567F-11D1-B652-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6B1BE807-567F-11D1-B652-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{86E5D74F-02EB-11D3-A464-0080C858F182} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{86E5D751-02EB-11D3-A464-0080C858F182} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8CFC92FA-7057-4A98-A3BE-9C34D3D255FD} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8DB2224E-D2FA-4B2E-8402-085EA7CC826B} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{916694A8-8AD6-11D2-B6FD-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{916694A9-8AD6-11D2-B6FD-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DACB7A39-CC0D-4B85-908B-10D2451761A5} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F4043742-AC8D-4F86-88E9-F3FD3369DD8C} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{6B1BE80A-567F-11D1-B652-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.254:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.286:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.329:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.330:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Clickhype : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.408:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.409:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.415:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.419:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.421:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\default.140\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\IESkins -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\reports.txt -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\HostOI -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\HostOI\dynamic -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\HostOI\static -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\HostOL -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\HostOL\dynamic -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\HostOL\static -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1054043.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1055531.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1055545.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1056045.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\105762.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1065003.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1067152.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1087423.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1145404.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1175990.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\130685.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1369064.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1383597.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1383771.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1385373.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1387587.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1387588.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1388811.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1389760.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1390042.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1391525.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\1393628.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\142682.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\153110.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\16619.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\186182.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\224423.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\275123.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\287227.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\292213.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\457649.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\482697.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\535051.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\600583.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\617101.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\80299.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\819382.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\889933.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\890399.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\896551.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\959044.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\959652.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\ASPL1.dat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\bstat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\domains.txt -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\hstat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\10807 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\11213 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\1337 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\13562 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\13922 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\15473 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\16210 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\16975 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\17025 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\17063 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\17301 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\18261 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\18391 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\18721 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\19650 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\20570 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\21060 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\22139 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\23889 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\23923 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\23928 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\24341 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\24787 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\25424 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\25708 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\25911 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\26125 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\26664 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\27060 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\27503 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\27505 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\27515 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\28383 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\29115 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\29297 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\29425 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\29536 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\29547 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\29569 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\29642 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\30189 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\32024 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\34107 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\34123 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\34137 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\34186 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\35000 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\35047 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\36598 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\38740 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\39897 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\41115 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\41641 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\42208 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\42623 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\43979 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\44214 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\44458 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\44750 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\44878 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\45355 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\45833 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\46110 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\46705 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\4899 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\49260 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\49432 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\51233 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\51374 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\51666 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\52288 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\52293 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\52306 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\52335 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Charlotte\Application Data\Hotbar\v3.0\Hotbar\dynamic\Tooltip\53349 -> Spyware.HotBar : Cleaned with backup
C:\Documents and S
  • 0

Advertisements

#2
kool808
Posted 19 August 2005 - 09:33 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
okay you have a pair of malwares, we will get them down one at a time.

Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++

Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O1 - Hosts: localhost 127.0.0.1

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

Make sure to double check the items you have selected, then click Fix Checked.

Reboot in SAFE MODE. (How to boot in Safe Mode...)
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist

    • Messenger Plus 3!
    • Wild Tangent
    • Get Right
  • Click Uninstall
  • Confirm with OK
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\Messenger Plus! 3\ <-- whole folder
  • C:\Program Files\WildTangent\ <-- whole folder
  • C:\Program Files\GetRight\ <-- whole folder
Finally, Empty Recycle Bin

++++++++++++++++++++++++++++++
reboot back in NORMAL MODE.

Search for the jobs:

Open notepad and copy and paste next in it:

dir %Windir%\tasks /a h > files.txt
notepad files.txt

Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.

Doubleclick on findjobs.bat and post the content of the txtfile you get in your next reply.
(NOTE: You can delete this file afterwards.)

++++++++++++++++++++++++++++++
Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.


POST a new HijackThis log. Let me know how your system is running.
  • 0

#3
daveski
Posted 19 August 2005 - 10:02 AM

daveski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
right, done that. there was no wild tangent in the add/remove programs, neither was there anything to deleted for it in c:/program files, but the other two are gone.

the text file output by the findjobs.dat thing is

++++++++++++++++++++++++++++++++++++++++++

Volume in drive C is HDD
Volume Serial Number is D8A9-E413

Directory of C:\WINDOWS\tasks

13/05/2005 09:56 <DIR> .
13/05/2005 09:56 <DIR> ..
19/08/2005 16:50 252 AOL 9.job
29/08/2002 13:00 65 desktop.ini
19/08/2005 16:49 6 SA.DAT
3 File(s) 323 bytes

Directory of C:\Documents and Settings\Nick\Desktop

+++++++++++++++++++++++++++++++++++++++++++++++++

silent runners gave me

+++++++++++++++++++++++++++++++++++++++++++++++++

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"ACTIVBOARD" = "c:\apps\ABoard\ABoard.exe" ["NEC Computers International"]
"Lexmark X74-X75" = ""C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"" ["Lexmark International, Inc."]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" ["Google Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"" ["Network Associates, Inc."]
"%FP%Friendly fts.exe" = ""C:\Program Files\VoyagerTest\fts.exe"" ["Friendly Technologies"]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"DSLSTATEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon" ["GlobespanVirata, Inc."]
"DSLAGENTEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [null data]
"VCSPlayer" = ""C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"" ["H+H Software GmbH"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"srbho" = "FLKPT.exe" [file not found]
"Bogobot" = "teqq32.exe" [file not found]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data]
"RunDLL" = "rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Apps\RecordNow\shlext.dll" ["Sonic Solutions"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "My Phones"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Teleca Software Solutions AB"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbui.dll" ["Stardock.Net, Inc"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csvbn.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WB\DLLName = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll" ["Stardock"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "C:\Corel\Suite8\Programs\PFSE80.DLL" ["Novell, Inc."]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "C:\Corel\Suite8\Programs\PFSE80.DLL" ["Novell, Inc."]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]


Startup items in "Nick" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Nick\Start Menu\Programs\Startup
"Konfabulator" -> shortcut to: "C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe" ["Yahoo, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AOL 9.0 Tray Icon" -> shortcut to: "C:\Program Files\AOL 9.0\aoltray.exe -check" ["America Online, Inc."]
"AOL Broadband Check-Up" -> shortcut to: "C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]


Enabled Scheduled Tasks:
------------------------

"AOL 9" -> launches: "C:\PROGRA~1\AOL9~1.0\aol.exe" ["America Online, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.freeserve.com/

Missing lines (compared with English-language version):
[Strings]: 1 line


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."]
SmartLinkService, SLService, "slserv.exe" [" "]
StyleXPService, StyleXPService, ""C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"" [empty string]
Virtual CD v4 Security service (SDK - Version), VCSSecS, "C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe" ["H+H Software GmbH"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 58 seconds, including 18 seconds for message boxes)

+++++++++++++++++++++++++++++++++++++++++++++++++++++

and hijackthis is now looking like this

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 16:57:25, on 19/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\apps\ABoard\ABoard.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Nick\Desktop\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [srbho] FLKPT.exe
O4 - HKLM\..\Run: [Bogobot] teqq32.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121207548687
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20708039-23CE-4191-BB2A-846547F7919C}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5496C6A1-2B3B-42E3-A6AB-8FAECFF848F0}: NameServer = 69.50.176.198,85.255.112.12
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

++++++++++++++++++++++++++++++++++++++++++++++++++++

fingers crossed that's done some good
  • 0

#4
kool808
Posted 19 August 2005 - 06:34 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Good job, you did it well. Your log looks much better now.


Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srbho"=-
"Bogobot"=-
"hclean32.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O1 - Hosts: localhost 127.0.0.1

O4 - HKLM\..\Run: [srbho] FLKPT.exe
O4 - HKLM\..\Run: [Bogobot] teqq32.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

Make sure to double check the items you have selected, then click Fix Checked.

Please reboot your computer.

After reboot, please download RKFiles from HERE
  • Unzip RKfiles.zip to the desktop
  • Double-click RKFiles.bat to run it.
    • It may take a while.
  • When it is finished a window should appear with a log.
  • Please copy the contents of the log and paste them here
    • Note: the log with be saved at c:\log.txt
We will clean up what has been left, let me know how your system is running now.
  • 0

#5
daveski
Posted 20 August 2005 - 11:24 AM

daveski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
right, done all that, the log file from rkfiles.bat was

C:\Documents and Settings\Nick\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\gp4tweak.dll: UPX!
C:\WINDOWS\system32\ntfsnlpa.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\theoffice.scr: |BfSG!
Finished
bye

generally i think the computer's doing better. i was unaware of this before earlier but apparently my sister was having loads of hijakc trouble with ie, but when she went on it today all was good again.

also, since doing everything in your first post the pop ups seemed to have disappeared, although this afternoon there was a solitary incident involving the "baloon", but i haven't seen this since.

mcafee has been complaining a lot though with on-access scan messages, the exe it kept deleting every time i use firefox is there still, in addition to another two this time,

C:\WINDOWS\system32\hclean32.exe QHosts-17
C:\WINDOWS\system32\csgnm.exe MultiDropper-NW

being the entries in the log (this could be completely unrelated and stuff, but it doesn't hurt to say it regardless, i have no idea what's going on)

apart from the above though, everything seems to be fine. for now.
  • 0

#6
kool808
Posted 20 August 2005 - 06:28 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
  • Please download the Killbox by Option^Explicit.
  • Save it to your desktop.
  • Run Killbox.exe.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

    C:\WINDOWS\system32\hclean32.exe
    C:\WINDOWS\system32\csgnm.exe
    C:\WINDOWS\RMAgentOutput.dll
    C:\WINDOWS\system32\ntfsnlpa.exe

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.
After reboot, post a new HiJackThis log here.
  • 0

#7
daveski
Posted 21 August 2005 - 04:15 AM

daveski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:12:10, on 21/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\apps\ABoard\ABoard.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\Documents and Settings\Nick\Desktop\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121207548687
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20708039-23CE-4191-BB2A-846547F7919C}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5496C6A1-2B3B-42E3-A6AB-8FAECFF848F0}: NameServer = 69.50.176.198,85.255.112.12
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#8
kool808
Posted 21 August 2005 - 06:01 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Very good! :tazz: How is your system running now?

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O17 - HKLM\System\CCS\Services\Tcpip\..\{20708039-23CE-4191-BB2A-846547F7919C}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5496C6A1-2B3B-42E3-A6AB-8FAECFF848F0}: NameServer = 69.50.176.198,85.255.112.12

Close HiJackThis.

Now lets check some settings on your system.
  • Go to Start > Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties.
  • Click the Networking tab.
  • Double-Click on the Internet Protocol (TCP/IP) item.
  • Select the radio dial that says Obtain DNS Servers Automatically.
  • Press OK twice to get out of the properties screen and reboot if it asks.
Make sure to reboot and post back a new HiJackThis log into this topic.
  • 0

#9
daveski
Posted 21 August 2005 - 08:44 AM

daveski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
ok, everything seems to be alright. mcafee hasn't had any problems with anything, haven't seen a pop up for a day or so now. however, i've been noticing that hijackthis seems to take a bit longer to do the scan now, stays on "O23 - nt services" for a while whereas at the start i didn't notice this, may well be normal for all i know though.

Logfile of HijackThis v1.99.1
Scan saved at 15:40:59, on 21/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\apps\ABoard\ABoard.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\Documents and Settings\Nick\Desktop\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121207548687
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
kool808
Posted 21 August 2005 - 04:42 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Did you install IE-SPYAD? It will take very long for Hijackthis to scan because it loads up more than 5000+ bad website entries on your restricted IE zones. I do not see any malware on your HJT log. ;)

you can now uninstall or remove these tools

killbox
silent runners
rkfiles
fixware.reg
findjobs.bat

:) :) :) :ph34r: :) :tazz: :) :) :tazz: :tazz: :ph34r:


Congratulations! :) your system is CLEAN!

WinXP Reset & All-Clean1

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Security Updates - Softwares:
http://www.geekstogo.com/forum/Security-Updates-f69.html

.: My Blog :.
  • 0

#11
daveski
Posted 23 August 2005 - 12:41 PM

daveski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
ok, i'm just going to do all that last stuff now. cheers for all the help here, much appreciated, and keep up the good work! :tazz:
  • 0

#12
kool808
Posted 23 August 2005 - 04:42 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP