Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[RESOLVED] Aurora/Nail.exe/abetterinternet problem


  • This topic is locked This topic is locked

#1
tazical

tazical

    Member

  • Member
  • PipPip
  • 14 posts
Hi guys- hoping someone can help with this.

I've had bad luck with viruses in the last month or so, and suspect I have a malware downloader program on my system somewhere, as I seem to be picking up a lot of spyware and trojans from an indeterminable source. The main noticeable problem is the Aurora/abetterinternet pop-up software, which restarts up every time I clean it off my system.

I've also previously had a dialler program (which has cost me over £350 in call charges, gah!), the Smitfraud-c phisher, Perfect Keylogger 2.0, Trojan.BHOMod, CoolWebSearch, ComLoad, Transponder.Bolger, Begin2Search, Trojan downloaders pops-stop and pacisoft and various adware. I've followed all the prompts in the malware start section, and would be very grateful if someone can look at the following Hijack This log and help me get my PC sterilised!

Thanks,
Taz

____

Logfile of HijackThis v1.99.1
Scan saved at 21:51:07, on 03/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSPS~1.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejourn...ml?user=tazical
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.client...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../UK/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.truprint....printUpload.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...534/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B476510-3071-444A-A2BC-73C238965B7C}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Bugbatter, 05 September 2005 - 07:22 AM.

  • 0

Advertisements


#2
Bugbatter

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
Hi, Taz,
It sounds as if you've had quite a malware collection!

First, let's disable those programs that are monitoring your Registry to prevent bad changes.
They will also prevent GOOD changes. You can enable them when your fix is ENTIRELY completed and your system is verified as being clean.

SpySweeper:
To disable SpySweeper:
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
[After your system is fully cleaned reenable Spysweeper using the same steps but this time reverse them.]

ewido:
From within Ewido -
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.

Spyware Doctor:
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.
Exit by a right-click on the "Spyware Doctor" icon in the system tray and choose "Exit".

SpywareGuard:
Right click the running icon of Spywareguard, it will open the program: Menu > File > Exit, and confirm the program's close.
OR :
Right-click on the SG icon in your system tray and SpywareGuard should open.
Click "Options" and then uncheck these options under the "General" tab:
Enable Real-Time Scanning
Enable Download Protection
Enable Browser Hijack Protection

Click "Save Settings"

** When we have completed all of your fixes, please re-enable these settings.

Now we can begin the fix:
Please read completely through the instructions below and download the files from the links provided.
You may want to save or print out these instructions for easier reference.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

Please launch your ewido and UPDATE it.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please move your HijackThis to a FOLDER of its own where it can save backups.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Do a Cut on your HijackThis.exe and PASTE it in that new folder (or Edit>Move to). Double click to run it.

Please post your ewido report and a fresh HJT log. Thanks. :tazz:
  • 0

#3
tazical

tazical

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi, thanks for the quick reply :tazz:)

Logs as requested:

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 02:10:06, 04/09/2005
+ Report-Checksum: 4EAB5EF2

+ Scan result:

HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4496 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4543 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1116 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1524 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1553 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1641 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1100933587-446484383-221606908-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Spyware.Cydoor : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.258:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.259:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.264:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.265:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.266:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.278:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.325:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.326:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.327:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.328:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.329:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.330:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.331:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.332:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.336:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.343:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.367:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.368:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.385:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.391:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.396:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.397:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.427:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.428:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.429:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.437:C:\Documents and Settings\Tracey Newton\Application Data\Mozilla\Firefox\Profiles\nxe2wa7t.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Tracey Newton\Cookies\tracey newton@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Tracey Newton\Cookies\tracey newton@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tracey Newton\Cookies\tracey newton@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Tracey Newton\Cookies\tracey newton@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\WINDOWS\Nail.exe.tcf -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Nail.exe7898.tcf -> Adware.BetterInternet : Cleaned with backup


::Report End

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 02:12:08, on 04/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejourn...ml?user=tazical
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.client...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../UK/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.truprint....printUpload.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...534/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B476510-3071-444A-A2BC-73C238965B7C}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
Bugbatter

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
Good job! Things are looking better.

I seem to be picking up a lot of spyware and trojans from an indeterminable source.

Do you have Kazaa installed?

Please boot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

Please launch HJT and tick these:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.client...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


These are optional to fix because they use resources and may be unnecessary depending on your needs. fixing them here will not prevent you from opening them manually.
O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
( RealPlayer scheduler for updates-- Unnecessary)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
(Installs Apple's Quicktime tray icon -- Unnecessary)

Close all windows except HJT and click "Fix Checked".

Reboot normally.

If you do not already have a cleaning utility such as CleanUp! or CCleaner, please download CCleaner and run it.
You can download: CCleaner from either of these sites:
http://www.ccleaner.com/
http://www.filehippo...d_ccleaner.html

Once installed, launch CCleaner:
Do not change any settings, except to make sure on the Options tab>Advanced "Only delete files in Windows Temp folders older than 48 hours" is NOT checked.
Click Run Cleaner (bottom right). When finished> Exit (top right) (reboot)

Please post a fresh HJT log and let me know how things are running. Also let me know if we need to remove Kazaa.

Edited by Bugbatter, 04 September 2005 - 09:21 AM.

  • 0

#5
tazical

tazical

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I do have Kazaa installed, although I use it infrequently, so the accompanying pop-up software is ok to keep. I've used it for a couple of years with no previous virus problems, so I suspect that the cause of my recent malware woes may lie in either an unintentionally infected attachment that a friend e-mailed to me or in a freeware application that I downloaded just before it started. Either way, I'll be happy to get rid of it!

Instructions have been followed, log below. bt-yahoo was my old dial-up ISP, so all those components were fine to get rid of.

The system seems to be running a lot better now- I've had no further outbreaks of Aurora and a search has revealed that nail.exe is no longer on my system. Previous spyware detectors had found and removed it, only for it to reappear again later, so I hope this has done the trick :tazz:

HJK Log

Logfile of HijackThis v1.99.1
Scan saved at 16:58:48, on 04/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejourn...ml?user=tazical
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../UK/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.truprint....printUpload.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...534/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
Bugbatter

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
Your log appears to be clean. :)

It is your decision whether or not you want to keep Kazaa. It is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of.
You may have noticed these in your ewido log:
Kazaa\Promotions\Cydoor\Adwr_329
Here are some articles regarding alternatives that will provide some of the same function without the spyware issues:
http://www.spywarein...m/articles/p2p/
http://forums.winamp...?threadid=64964
http://www.benedelman.org/spyware/p2p/

If you ever want to remove Kazaa use Add/Remove Programs. After removing Kazaa, run Kazaabegone to clean out the remnants:
http://www.computerc...s-file-331.html
It will remove all the traces left behind by the Kazaa uninstall.

** Because this version can break your email connectivity, first download:
- LSPfix - from http://www.cexx.org/lspfix.htm -

Delete the Kazaa folder if it still exists in your Program Files.

Otherwise, you are good to go.:tazz:

After something like this it is a good idea to purge the Restore Points and start fresh.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

You may have already taken some of these steps:
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupd.../en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.javacools...ywareguard.html
Periodically check for updates.

4. Keep your antivirus software and firewall software up to date.
Note: Zone Alarm Firewall (Zone Labs) http://www.zonelabs....ontent/home.jsp is free.
Also Sygate has an optional free version: http://smb.sygate.com/download_buy.htm

5. You might consider installing Mozilla / Firefox.
http://www.mozilla.org/

6. Install spyware detection and removal programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft....ftware/adaware/

b. SpyBot S&D: http://safer-network...2005-05-31.html
http://www.majorgeek...wnload2471.html
http://security.koll...n&page=download
I would check for updates in SpyBot once a week or so.
Check for updates in Adaware frequently.
I scan with each at least weekly.

7. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewa...nti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewa...-test-guide.htm

8. I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

9. After you use Windows XP for some time, the prefetch folder can get full of rarely used or obsolete links which can slow down your computer boot time noticeably. We recommend you delete all files in this folder about once a month.
To find the prefetch folder, enter this in the explorer address bar:
%windir%\prefetch
This should take you to either C:\WINDOWS\PREFETCH or C:\WINNT\PREFETCH. Delete all the files there. http://www.hexff.com/xp_tuneup.php

10. You might want to take a look at this article, too.
http://computercops....tlite7736-.html

Happy and Safe Surfing. :)

Since this issue appears to be resolved, I will close this topic. Glad we could help. :)
If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Edited by Bugbatter, 04 September 2005 - 06:31 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP