Active scan log:
Incident Status Location
Adware:adware/hotoffers No disinfected C:\WINDOWS\SYSTEM32\Inkline Global PC tuneup.ico
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Spyware:spyware/istbar No disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Spyware:spyware/betterinet No disinfected Windows Registry
Spyware:Spyware/Abcsearch No disinfected C:\WINDOWS\SYSTEM32\msjpnd.dll
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl
Adware:Adware/Hotoffers No disinfected C:\WINDOWS\SYSTEM32\msodae.dll
Spyware:Spyware/ClientMan No disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP288\A0065798.DLL
Adware:Adware/SideSearch No disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP288\A0065800.DLL
Adware:Adware/BrilliantDigitalNo disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0065944.rbf
Adware:Adware/BrilliantDigitalNo disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0065951.MSI[unk_0021][bdcore.dll]
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066016.dll
Adware:Adware/P2PNetworking No disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066024.DLL
Adware:Adware/P2PNetworking No disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066025.exe
Adware:Adware/BookedSpace No disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066286.exe
Adware:Adware/Yahoo No disinfected C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066287.dll
hojack this log:
Logfile of HijackThis v1.99.1
Scan saved at 9:59:36 PM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Eric\FTP\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -
http://www.activatio...oad/tgctlcm.cabO16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) -
http://64.124.45.181...s/ccpm_0237.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akama...meInstaller.exeO16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
http://aolcc.aol.com...kup/qdiagcc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1125698819065O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) -
http://www.blizzard....des/cabs/si.cabO16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) -
http://216.249.24.14...tiveXImgCtl.CABO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft...free/asinst.cabO20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
EWIDO log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:23:00 PM, 9/2/2005
+ Report-Checksum: 8AD4FBBF
+ Scan result:
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\ZF7TLMK0\Nail[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\fmtqqifom.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\nreaptbj.exe -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\Yahoo!\Companion\ycomp.cab/ycomp5_0_2_7.dll -> Spyware.Yahoo : Cleaned with backup
C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll -> Spyware.Yahoo : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\Cookies\apex@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\Cookies\apex@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\Cookies\
[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\Cookies\
[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\Cookies\
[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\Temporary Internet Files\Content.IE5\18G0F1WC\dun[1].exe -> Spyware.DealHelper : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\__unin__.exe -> Spyware.Altnet : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\ms17F.tmp -> TrojanDownloader.Small.nj : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\ms13E.tmp -> TrojanDownloader.Apropo.ae : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\ms16A.tmp -> TrojanDownloader.Agent.hw : Cleaned with backup
C:\Documents and Settings\APEX\Local Settings\Temp\sntaudio.tmp -> Spyware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\apex@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\
[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\apex@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\
[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\apex@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\apex@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\
[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\apex@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\APEX\Cookies\apex@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP288\A0065799.DLL -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP288\A0065815.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066044.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066060.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066061.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066062.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066070.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP289\A0066132.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP291\A0066140.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP291\A0066142.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP291\A0066149.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP291\A0066155.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP291\A0066191.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP291\A0066207.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP291\A0066214.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066249.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066257.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066272.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066273.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066274.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066275.exe -> Trojan.Stervis.f : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066280.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066281.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{7AA2535B-7E92-4BA3-809F-A90F4B13C083}\RP295\A0066284.exe -> Adware.BetterInternet : Cleaned with backup
::Report End