Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

msclock32.dll [RESOLVED]


  • Please log in to reply

#31
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's try this.

Download Brute Force Uninstaller.
Unzip it to itís own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do itís job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
  • 0

Advertisements


#32
showme69

showme69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Ok, I completed the last instructions.
  • 0

#33
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please post a new hijackthis log.
Is Mcafee still popping up?
  • 0

#34
showme69

showme69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Yes, McAfee is still popping up. I have to turn the VS off in order to post or the computer runs like malassas on a cold morning.
Here's the log.


Logfile of HijackThis v1.99.1
Scan saved at 3:15:48 PM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\program files\mailskinner\mailskinner.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\PROGRA~1\mcafee.com\agent\McDash.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yhti.net/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33875E4F-4744-432E-8779-6E9813D4C611}: NameServer = 66.140.208.10
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
  • 0

#35
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Spysweeper has been good lately about picking this one up.

Please download the trial version of WebRoot SpySweeper
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#36
showme69

showme69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
First, a related question. I got the email notification that you had responded, clicked on the link in the email, the window opened with the thread plus another window behind it from nuker.com with a link to click on to scan my computer. Is that in anyway related to the geekstogo website?

I did the spysweeper scan. It gave me the option to reboot because to delete some thing it said the computer had to be rebooted. I chose no since I had to save the log. After saving the log I rebooted the computer. The PUP still came up. I found in the log where it had found the msclock32.dll and msplock32.dll plus instant access, all three needed the reboot to be deleted. I already ran spysweeper again and it only found instant access, not the other two files. When it gave me the option to reboot, I did, and the PUP still came up with the msclock32.dll file listed.




********
11:26 AM: | Start of Session, Thursday, October 13, 2005 |
11:26 AM: Spy Sweeper started
11:26 AM: Sweep initiated using definitions version 553
11:26 AM: Starting Memory Sweep
11:28 AM: Memory Sweep Complete, Elapsed Time: 00:01:43
11:28 AM: Starting Registry Sweep
11:28 AM: Found Adware: instant access
11:28 AM: HKU\WRSS_Profile_S-1-5-21-465877025-94767022-1036326097-1006\software\microsoft\windows\currentversion\wintrust\trust providers\software publishing\trust database\0\ || goicfboogidikkejccmclpieicihhlpo bgdjdn (ID = 128845)
11:28 AM: Found Adware: one2one viewer
11:28 AM: HKU\WRSS_Profile_S-1-5-21-465877025-94767022-1036326097-1006\software\livesvc\ (1 subtraces) (ID = 136368)
11:28 AM: Registry Sweep Complete, Elapsed Time:00:00:16
11:28 AM: Starting Cookie Sweep
11:28 AM: Found Spy Cookie: 2o7.net cookie
11:28 AM: isaac@2o7[1].txt (ID = 1957)
11:28 AM: Found Spy Cookie: about cookie
11:28 AM: isaac@about[2].txt (ID = 2037)
11:28 AM: Found Spy Cookie: adknowledge cookie
11:28 AM: isaac@adknowledge[2].txt (ID = 2072)
11:28 AM: Found Spy Cookie: ask cookie
11:28 AM: isaac@ask[1].txt (ID = 2245)
11:28 AM: Found Spy Cookie: atlas dmt cookie
11:28 AM: isaac@atdmt[2].txt (ID = 2253)
11:28 AM: Found Spy Cookie: atwola cookie
11:28 AM: isaac@atwola[2].txt (ID = 2255)
11:28 AM: Found Spy Cookie: bizrate cookie
11:28 AM: isaac@bizrate[2].txt (ID = 2308)
11:28 AM: Found Spy Cookie: captaincode cookie
11:28 AM: isaac@captaincode[2].txt (ID = 2346)
11:28 AM: Found Spy Cookie: go.com cookie
11:28 AM: isaac@disney.go[1].txt (ID = 2729)
11:28 AM: isaac@go[2].txt (ID = 2728)
11:28 AM: Found Spy Cookie: ic-live cookie
11:28 AM: isaac@ic-live[1].txt (ID = 2821)
11:28 AM: isaac@psc.disney.go[1].txt (ID = 2729)
11:28 AM: Found Spy Cookie: questionmarket cookie
11:28 AM: isaac@questionmarket[1].txt (ID = 3217)
11:28 AM: Found Spy Cookie: rightmedia cookie
11:28 AM: isaac@rightmedia[1].txt (ID = 3259)
11:28 AM: Found Spy Cookie: serving-sys cookie
11:28 AM: isaac@serving-sys[2].txt (ID = 3343)
11:28 AM: isaac@tv.disney.go[1].txt (ID = 2729)
11:28 AM: isaac@vgstrategies.about[1].txt (ID = 2038)
11:28 AM: Found Spy Cookie: xzoomy cookie
11:28 AM: isaac@www.xzoomy[1].txt (ID = 3742)
11:28 AM: Found Spy Cookie: websponsors cookie
11:28 AM: kelly@a.websponsors[1].txt (ID = 3665)
11:28 AM: kelly@about[1].txt (ID = 2037)
11:28 AM: Found Spy Cookie: accoona cookie
11:28 AM: kelly@accoona[2].txt (ID = 2041)
11:28 AM: Found Spy Cookie: reunion cookie
11:28 AM: kelly@ad.reunion[1].txt (ID = 3256)
11:28 AM: kelly@adknowledge[1].txt (ID = 2072)
11:28 AM: Found Spy Cookie: adprofile cookie
11:28 AM: kelly@adprofile[2].txt (ID = 2084)
11:28 AM: kelly@ask[2].txt (ID = 2245)
11:28 AM: kelly@atdmt[1].txt (ID = 2253)
11:28 AM: Found Spy Cookie: belnk cookie
11:28 AM: kelly@ath.belnk[2].txt (ID = 2293)
11:28 AM: kelly@atwola[1].txt (ID = 2255)
11:28 AM: Found Spy Cookie: bannerspace cookie
11:28 AM: kelly@bannerspace[2].txt (ID = 2284)
11:28 AM: kelly@beauty.about[2].txt (ID = 2038)
11:28 AM: kelly@belnk[1].txt (ID = 2292)
11:28 AM: kelly@bizrate[2].txt (ID = 2308)
11:28 AM: Found Spy Cookie: goclick cookie
11:28 AM: kelly@c.goclick[2].txt (ID = 2733)
11:28 AM: Found Spy Cookie: classmates cookie
11:28 AM: kelly@classmates[1].txt (ID = 2384)
11:28 AM: Found Spy Cookie: tickle cookie
11:28 AM: kelly@cookie.tickle[1].txt (ID = 3530)
11:28 AM: Found Spy Cookie: coolsavings cookie
11:28 AM: kelly@coolsavings[1].txt (ID = 2465)
11:28 AM: Found Spy Cookie: dealtime cookie
11:28 AM: kelly@dealtime[2].txt (ID = 2505)
11:28 AM: Found Spy Cookie: did-it cookie
11:28 AM: kelly@did-it[2].txt (ID = 2523)
11:28 AM: kelly@dist.belnk[2].txt (ID = 2293)
11:28 AM: kelly@familyfun.go[1].txt (ID = 2729)
11:28 AM: Found Spy Cookie: go2net.com cookie
11:28 AM: kelly@go2net[1].txt (ID = 2730)
11:28 AM: kelly@go[2].txt (ID = 2728)
11:28 AM: kelly@homecooking.about[1].txt (ID = 2038)
11:28 AM: kelly@homeparents.about[1].txt (ID = 2038)
11:28 AM: Found Spy Cookie: homestore cookie
11:28 AM: kelly@homestore[1].txt (ID = 2793)
11:28 AM: Found Spy Cookie: screensavers.com cookie
11:28 AM: kelly@i.screensavers[2].txt (ID = 3298)
11:28 AM: kelly@ic-live[1].txt (ID = 2821)
11:28 AM: Found Spy Cookie: infospace cookie
11:28 AM: kelly@infospace[1].txt (ID = 2865)
11:28 AM: Found Spy Cookie: kount cookie
11:28 AM: kelly@kount[1].txt (ID = 2911)
11:28 AM: Found Spy Cookie: metareward.com cookie
11:28 AM: kelly@metareward[2].txt (ID = 2990)
11:28 AM: Found Spy Cookie: nextag cookie
11:28 AM: kelly@nextag[2].txt (ID = 5014)
11:28 AM: Found Spy Cookie: pub cookie
11:28 AM: kelly@pub[1].txt (ID = 3205)
11:28 AM: Found Spy Cookie: affiliatefuel.com cookie
11:28 AM: kelly@r1.affiliatefuel[1].txt (ID = 2202)
11:28 AM: kelly@reunion[2].txt (ID = 3255)
11:28 AM: kelly@rightmedia[2].txt (ID = 3259)
11:28 AM: Found Spy Cookie: rn11 cookie
11:28 AM: kelly@rn11[2].txt (ID = 3261)
11:28 AM: Found Spy Cookie: web-stat cookie
11:28 AM: kelly@server3.web-stat[2].txt (ID = 3649)
11:28 AM: Found Spy Cookie: servlet cookie
11:28 AM: kelly@servlet[1].txt (ID = 3345)
11:28 AM: Found Spy Cookie: spywarestormer cookie
11:28 AM: kelly@spywarestormer[1].txt (ID = 3417)
11:28 AM: kelly@stat.dealtime[2].txt (ID = 2506)
11:28 AM: kelly@sub.reunion[1].txt (ID = 3256)
11:28 AM: Found Spy Cookie: trb.com cookie
11:28 AM: kelly@trb[2].txt (ID = 3587)
11:28 AM: Found Spy Cookie: uproar cookie
11:28 AM: kelly@uproar[1].txt (ID = 3612)
11:28 AM: Found Spy Cookie: upspiral cookie
11:28 AM: kelly@upspiral[2].txt (ID = 3614)
11:28 AM: kelly@wb11tv.trb[2].txt (ID = 3588)
11:28 AM: kelly@www.affiliatefuel[2].txt (ID = 2202)
11:28 AM: Found Spy Cookie: redzip cookie
11:28 AM: kelly@www.redzip[1].txt (ID = 3250)
11:28 AM: kelly@www.screensavers[2].txt (ID = 3298)
11:28 AM: kelly@www.upspiral[1].txt (ID = 3615)
11:28 AM: Found Spy Cookie: primaryads cookie
11:28 AM: gale@1.primaryads[2].txt (ID = 3190)
11:28 AM: gale@2o7[1].txt (ID = 1957)
11:28 AM: Found Spy Cookie: 382 cookie
11:28 AM: gale@382[1].txt (ID = 1965)
11:28 AM: Found Spy Cookie: 3 cookie
11:28 AM: gale@3[1].txt (ID = 1959)
11:28 AM: Found Spy Cookie: 412 cookie
11:28 AM: gale@412[1].txt (ID = 1969)
11:28 AM: Found Spy Cookie: 447 cookie
11:28 AM: gale@447[1].txt (ID = 1973)
11:28 AM: gale@4wheeldrive.about[1].txt (ID = 2038)
11:28 AM: Found Spy Cookie: 64.62.232 cookie
11:28 AM: gale@64.62.232[1].txt (ID = 1987)
11:28 AM: gale@64.62.232[3].txt (ID = 1987)
11:28 AM: gale@64.62.232[4].txt (ID = 1987)
11:28 AM: gale@64.62.232[5].txt (ID = 1987)
11:28 AM: gale@64.62.232[6].txt (ID = 1987)
11:28 AM: gale@a.websponsors[1].txt (ID = 3665)
11:28 AM: gale@abclocal.go[1].txt (ID = 2729)
11:28 AM: gale@about[1].txt (ID = 2037)
11:28 AM: Found Spy Cookie: yieldmanager cookie
11:28 AM: gale@ad.yieldmanager[1].txt (ID = 3751)
11:28 AM: Found Spy Cookie: adecn cookie
11:28 AM: gale@adecn[1].txt (ID = 2063)
11:28 AM: gale@adknowledge[2].txt (ID = 2072)
11:28 AM: Found Spy Cookie: hbmediapro cookie
11:28 AM: gale@adopt.hbmediapro[1].txt (ID = 2768)
11:28 AM: Found Spy Cookie: precisead cookie
11:28 AM: gale@adopt.precisead[1].txt (ID = 3182)
11:28 AM: Found Spy Cookie: specificclick.com cookie
11:28 AM: gale@adopt.specificclick[1].txt (ID = 3400)
11:28 AM: Found Spy Cookie: adrevolver cookie
11:28 AM: gale@adrevolver[1].txt (ID = 2088)
11:28 AM: gale@adrevolver[2].txt (ID = 2088)
11:28 AM: Found Spy Cookie: addynamix cookie
11:28 AM: gale@ads.addynamix[2].txt (ID = 2062)
11:28 AM: Found Spy Cookie: belointeractive cookie
11:28 AM: gale@ads.belointeractive[1].txt (ID = 2295)
11:28 AM: Found Spy Cookie: cc214142 cookie
11:28 AM: gale@ads.cc214142[1].txt (ID = 2367)
11:28 AM: Found Spy Cookie: pointroll cookie
11:28 AM: gale@ads.pointroll[2].txt (ID = 3148)
11:28 AM: gale@ask[1].txt (ID = 2245)
11:28 AM: gale@asthma.about[1].txt (ID = 2038)
11:28 AM: gale@atdmt[2].txt (ID = 2253)
11:28 AM: gale@ath.belnk[1].txt (ID = 2293)
11:28 AM: gale@atwola[2].txt (ID = 2255)
11:28 AM: Found Spy Cookie: azjmp cookie
11:28 AM: gale@azjmp[1].txt (ID = 2270)
11:28 AM: Found Spy Cookie: banners cookie
11:28 AM: gale@banners[1].txt (ID = 2282)
11:28 AM: Found Spy Cookie: banner cookie
11:28 AM: gale@banner[1].txt (ID = 2276)
11:28 AM: gale@belnk[1].txt (ID = 2292)
11:28 AM: Found Spy Cookie: burstnet cookie
11:28 AM: gale@burstnet[2].txt (ID = 2336)
11:28 AM: gale@c.fsx[1].txt (ID = 2286)
11:28 AM: gale@camping.about[1].txt (ID = 2038)
11:28 AM: Found Spy Cookie: cardomain cookie
11:28 AM: gale@cardomain[2].txt (ID = 2350)
11:28 AM: Found Spy Cookie: ccbill cookie
11:28 AM: gale@ccbill[2].txt (ID = 2369)
11:28 AM: Found Spy Cookie: 360i cookie
11:28 AM: gale@ct.360i[2].txt (ID = 1962)
11:28 AM: Found Spy Cookie: customer cookie
11:28 AM: gale@customer[1].txt (ID = 2481)
11:28 AM: gale@did-it[2].txt (ID = 2523)
11:28 AM: gale@dist.belnk[1].txt (ID = 2293)
11:28 AM: gale@espn.go[2].txt (ID = 2729)
11:28 AM: gale@experts.about[2].txt (ID = 2038)
11:28 AM: Found Spy Cookie: fastclick cookie
11:28 AM: gale@fastclick[1].txt (ID = 2651)
11:28 AM: gale@forestry.about[1].txt (ID = 2038)
11:28 AM: Found Spy Cookie: wegcash cookie
11:28 AM: gale@free.wegcash[2].txt (ID = 3682)
11:28 AM: gale@geography.about[1].txt (ID = 2038)
11:28 AM: gale@go2net[1].txt (ID = 2730)
11:28 AM: Found Spy Cookie: gostats cookie
11:28 AM: gale@gostats[2].txt (ID = 2747)
11:28 AM: gale@go[2].txt (ID = 2728)
11:28 AM: gale@homepage.belointeractive[2].txt (ID = 2295)
11:28 AM: gale@homestore[2].txt (ID = 2793)
11:28 AM: gale@i.screensavers[1].txt (ID = 3298)
11:28 AM: gale@ic-live[1].txt (ID = 2821)
11:28 AM: Found Spy Cookie: kinghost cookie
11:28 AM: gale@kinghost[2].txt (ID = 2903)
11:28 AM: Found Spy Cookie: domainsponsor cookie
11:28 AM: gale@landing.domainsponsor[1].txt (ID = 2535)
11:28 AM: gale@metareward[2].txt (ID = 2990)
11:28 AM: Found Spy Cookie: military cookie
11:28 AM: gale@military[2].txt (ID = 2996)
11:28 AM: Found Spy Cookie: mrskin cookie
11:28 AM: gale@mrskin[1].txt (ID = 3020)
11:28 AM: gale@nextag[1].txt (ID = 5014)
11:28 AM: Found Spy Cookie: outster cookie
11:28 AM: gale@outster[2].txt (ID = 3103)
11:28 AM: gale@paranormal.about[1].txt (ID = 2038)
11:28 AM: gale@pediatrics.about[1].txt (ID = 2038)
11:28 AM: gale@questionmarket[1].txt (ID = 3217)
11:28 AM: Found Spy Cookie: rednova cookie
11:28 AM: gale@rednova[1].txt (ID = 3245)
11:28 AM: gale@reunion[1].txt (ID = 3255)
11:28 AM: Found Spy Cookie: revenue.net cookie
11:28 AM: gale@revenue[1].txt (ID = 3257)
11:28 AM: gale@rightmedia[2].txt (ID = 3259)
11:28 AM: Found Spy Cookie: search123 cookie
11:28 AM: gale@search123[1].txt (ID = 3305)
11:28 AM: Found Spy Cookie: techtarget cookie
11:28 AM: gale@searchwebservices.techtarget[2].txt (ID = 3500)
11:28 AM: gale@server3.web-stat[2].txt (ID = 3649)
11:28 AM: gale@servlet[1].txt (ID = 3345)
11:28 AM: gale@servlet[2].txt (ID = 3345)
11:28 AM: gale@southernfood.about[2].txt (ID = 2038)
11:28 AM: Found Spy Cookie: starware.com cookie
11:28 AM: gale@starware[2].txt (ID = 3441)
11:28 AM: Found Spy Cookie: statcounter cookie
11:28 AM: gale@statcounter[1].txt (ID = 3447)
11:28 AM: Found Spy Cookie: reliablestats cookie
11:28 AM: gale@stats1.reliablestats[2].txt (ID = 3254)
11:28 AM: Found Spy Cookie: toplist cookie
11:28 AM: gale@toplist[1].txt (ID = 3557)
11:28 AM: Found Spy Cookie: tracking cookie
11:28 AM: gale@tracking[1].txt (ID = 3571)
11:28 AM: Found Spy Cookie: tribalfusion cookie
11:28 AM: gale@tribalfusion[1].txt (ID = 3589)
11:28 AM: Found Spy Cookie: videodome cookie
11:28 AM: gale@videodome[1].txt (ID = 3638)
11:28 AM: Found Spy Cookie: webpower cookie
11:28 AM: gale@webpower[1].txt (ID = 3660)
11:28 AM: gale@whatis.techtarget[1].txt (ID = 3500)
11:28 AM: Found Spy Cookie: burstbeacon cookie
11:28 AM: gale@www.burstbeacon[1].txt (ID = 2335)
11:28 AM: gale@www.burstnet[1].txt (ID = 2337)
11:28 AM: Found Spy Cookie: cd freaks cookie
11:28 AM: gale@www.cdfreaks[2].txt (ID = 2371)
11:28 AM: Found Spy Cookie: consumerfreedom.com cookie
11:28 AM: gale@www.consumerfreedom[2].txt (ID = 2460)
11:28 AM: Found Spy Cookie: megago cookie
11:28 AM: gale@www.qualitymedicalinc.freeservers[2].txt (ID = 2983)
11:28 AM: gale@www.screensavers[1].txt (ID = 3298)
11:28 AM: Found Spy Cookie: seeq cookie
11:28 AM: gale@www.seeq[1].txt (ID = 3332)
11:28 AM: gale@www.web-stat[2].txt (ID = 3649)
11:28 AM: Found Spy Cookie: xxx69 cookie
11:28 AM: gale@www.xxx69[2].txt (ID = 3732)
11:28 AM: gale@www48.seeq[1].txt (ID = 3332)
11:28 AM: Found Spy Cookie: xiti cookie
11:28 AM: gale@xiti[1].txt (ID = 3717)
11:28 AM: Found Spy Cookie: xxxdate cookie
11:28 AM: gale@xxxdate[1].txt (ID = 3735)
11:28 AM: Found Spy Cookie: yadro cookie
11:28 AM: gale@yadro[2].txt (ID = 3743)
11:28 AM: Cookie Sweep Complete, Elapsed Time: 00:00:13
11:28 AM: Starting File Sweep
11:28 AM: Found Adware: smart-browser
11:28 AM: c:\program files\sb (5 subtraces) (ID = -2147480318)
11:28 AM: msclock32.dll (ID = 158351)
11:29 AM: msplock32.dll (ID = 158351)
11:31 AM: tmlpcert2005 (ID = 63918)
11:31 AM: File Sweep Complete, Elapsed Time: 00:02:48
11:31 AM: Full Sweep has completed. Elapsed time 00:05:02
11:31 AM: Traces Found: 184
11:35 AM: Removal process initiated
11:35 AM: Quarantining All Traces: instant access
11:35 AM: instant access is in use. It will be removed on reboot.
11:35 AM: msclock32.dll is in use. It will be removed on reboot.
11:35 AM: msplock32.dll is in use. It will be removed on reboot.
11:35 AM: Quarantining All Traces: one2one viewer
11:35 AM: Quarantining All Traces: smart-browser
11:35 AM: Quarantining All Traces: 2o7.net cookie
11:35 AM: Quarantining All Traces: 3 cookie
11:35 AM: Quarantining All Traces: 360i cookie
11:35 AM: Quarantining All Traces: 382 cookie
11:35 AM: Quarantining All Traces: 412 cookie
11:35 AM: Quarantining All Traces: 447 cookie
11:35 AM: Quarantining All Traces: 64.62.232 cookie
11:35 AM: Quarantining All Traces: about cookie
11:35 AM: Quarantining All Traces: accoona cookie
11:35 AM: Quarantining All Traces: addynamix cookie
11:35 AM: Quarantining All Traces: adecn cookie
11:35 AM: Quarantining All Traces: adknowledge cookie
11:35 AM: Quarantining All Traces: adprofile cookie
11:35 AM: Quarantining All Traces: adrevolver cookie
11:35 AM: Quarantining All Traces: affiliatefuel.com cookie
11:35 AM: Quarantining All Traces: ask cookie
11:35 AM: Quarantining All Traces: atlas dmt cookie
11:35 AM: Quarantining All Traces: atwola cookie
11:35 AM: Quarantining All Traces: azjmp cookie
11:35 AM: Quarantining All Traces: banner cookie
11:35 AM: Quarantining All Traces: banners cookie
11:35 AM: Quarantining All Traces: bannerspace cookie
11:35 AM: Quarantining All Traces: belnk cookie
11:35 AM: Quarantining All Traces: belointeractive cookie
11:35 AM: Quarantining All Traces: bizrate cookie
11:35 AM: Quarantining All Traces: burstbeacon cookie
11:35 AM: Quarantining All Traces: burstnet cookie
11:35 AM: Quarantining All Traces: captaincode cookie
11:35 AM: Quarantining All Traces: cardomain cookie
11:35 AM: Quarantining All Traces: cc214142 cookie
11:35 AM: Quarantining All Traces: ccbill cookie
11:35 AM: Quarantining All Traces: cd freaks cookie
11:35 AM: Quarantining All Traces: classmates cookie
11:35 AM: Quarantining All Traces: consumerfreedom.com cookie
11:35 AM: Quarantining All Traces: coolsavings cookie
11:35 AM: Quarantining All Traces: customer cookie
11:35 AM: Quarantining All Traces: dealtime cookie
11:35 AM: Quarantining All Traces: did-it cookie
11:35 AM: Quarantining All Traces: domainsponsor cookie
11:35 AM: Quarantining All Traces: fastclick cookie
11:35 AM: Quarantining All Traces: go.com cookie
11:35 AM: Quarantining All Traces: go2net.com cookie
11:35 AM: Quarantining All Traces: goclick cookie
11:35 AM: Quarantining All Traces: gostats cookie
11:35 AM: Quarantining All Traces: hbmediapro cookie
11:35 AM: Quarantining All Traces: homestore cookie
11:35 AM: Quarantining All Traces: ic-live cookie
11:35 AM: Quarantining All Traces: infospace cookie
11:35 AM: Quarantining All Traces: kinghost cookie
11:35 AM: Quarantining All Traces: kount cookie
11:35 AM: Quarantining All Traces: megago cookie
11:35 AM: Quarantining All Traces: metareward.com cookie
11:35 AM: Quarantining All Traces: military cookie
11:35 AM: Quarantining All Traces: mrskin cookie
11:35 AM: Quarantining All Traces: nextag cookie
11:35 AM: Quarantining All Traces: outster cookie
11:35 AM: Quarantining All Traces: pointroll cookie
11:35 AM: Quarantining All Traces: precisead cookie
11:35 AM: Quarantining All Traces: primaryads cookie
11:35 AM: Quarantining All Traces: pub cookie
11:35 AM: Quarantining All Traces: questionmarket cookie
11:35 AM: Quarantining All Traces: rednova cookie
11:35 AM: Quarantining All Traces: redzip cookie
11:35 AM: Quarantining All Traces: reliablestats cookie
11:35 AM: Quarantining All Traces: reunion cookie
11:35 AM: Quarantining All Traces: revenue.net cookie
11:35 AM: Quarantining All Traces: rightmedia cookie
11:35 AM: Quarantining All Traces: rn11 cookie
11:35 AM: Quarantining All Traces: screensavers.com cookie
11:35 AM: Quarantining All Traces: search123 cookie
11:35 AM: Quarantining All Traces: seeq cookie
11:35 AM: Quarantining All Traces: serving-sys cookie
11:35 AM: Quarantining All Traces: servlet cookie
11:35 AM: Quarantining All Traces: specificclick.com cookie
11:35 AM: Quarantining All Traces: spywarestormer cookie
11:35 AM: Quarantining All Traces: starware.com cookie
11:35 AM: Quarantining All Traces: statcounter cookie
11:35 AM: Quarantining All Traces: techtarget cookie
11:35 AM: Quarantining All Traces: tickle cookie
11:35 AM: Quarantining All Traces: toplist cookie
11:35 AM: Quarantining All Traces: tracking cookie
11:35 AM: Quarantining All Traces: trb.com cookie
11:35 AM: Quarantining All Traces: tribalfusion cookie
11:35 AM: Quarantining All Traces: uproar cookie
11:35 AM: Quarantining All Traces: upspiral cookie
11:35 AM: Quarantining All Traces: videodome cookie
11:35 AM: Quarantining All Traces: webpower cookie
11:35 AM: Quarantining All Traces: websponsors cookie
11:35 AM: Quarantining All Traces: web-stat cookie
11:35 AM: Quarantining All Traces: wegcash cookie
11:35 AM: Quarantining All Traces: xiti cookie
11:35 AM: Quarantining All Traces: xxx69 cookie
11:35 AM: Quarantining All Traces: xxxdate cookie
11:35 AM: Quarantining All Traces: xzoomy cookie
11:35 AM: Quarantining All Traces: yadro cookie
11:35 AM: Quarantining All Traces: yieldmanager cookie
11:35 AM: Removal process completed. Elapsed time 00:00:35
********
11:25 AM: | Start of Session, Thursday, October 13, 2005 |
11:25 AM: Spy Sweeper started
11:25 AM: Your spyware definitions have been updated.
11:26 AM: | End of Session, Thursday, October 13, 2005 |

Edited by showme69, 13 October 2005 - 02:38 PM.

  • 0

#37
showme69

showme69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
I just got another window that popped up behind the current window I'm in from errornuker.com trying to get me to scan my computer. And I also had a small pop up appear from a casino. All of this is new since trying to get these files off the computer. I would have thought with all the programs I've been downloading and cleaning the computer with, new problems wouldn't start developing. Any suggestions?
  • 0

#38
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
There's a number of steps that we have already taken that should have resolved this issue. But it's very resistant, which leads me to believe that you may have a new variant. Let's give this one more shot.

Disable System Restore:
1. Click Start, Settings, and then click Control Panel.
2. Double-click the System icon.
3. Click the Performance tab, and then click File System.
4. Click the Troubleshooting tab, and then check Disable System Restore.


============


Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
  • The update will start and a progress bar will show the updates being installed.
  • If you are having problems with the updater, you can use this link to manually update ewido.
    http://www.ewido.net...wnload/updates/


=============


Follow this next step very carefully.

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)


==============


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.


==============


Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do itís job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.


===============


Run a full scan with Ewido.
Save the log and post it in your next reply.


===============


Run a full scan with Spysweeper.
Save the log and post it in your next reply.


===============


Delete your temp files
  • Navigate to the C:\Windows\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Navigate to the C:\Windows\Prefetch folder.
    • Open the Prefetch folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.

=============


Finally, reboot back into normal mode. Please post the logs from Spysweeper, Ewido, and a new hijackthis log. Let me know if you are still getting the popups from Mcafee.
  • 0

#39
showme69

showme69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
An FYI, when I click on System in the Control Panel, there's no Performance tab. There's a System Restore tab and I checkmarked Turn Off System Restore.
Also, under Internet Options, I didn't have a place to check Delete Offline Content.

Went through all the instructions and the PUP window continues to pop up. And I'm still getting the nuker.com and casino popups.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:41:57 PM, 10/13/2005
+ Report-Checksum: 324664FC

+ Scan result:

C:\Documents and Settings\Gale\Cookies\gale@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@banner.newyorkcasino[2].txt -> Spyware.Cookie.Newyorkcasino : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@ehg-directv.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@ehg-traderelectronicmedia.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@newyorkcasino[1].txt -> Spyware.Cookie.Newyorkcasino : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@www.casinotropez[2].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Isaac\Cookies\isaac@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Kelly\Cookies\kelly@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\WINDOWS\SYSTEM32\msclock32.dll -> Dialer.Generic : Cleaned with backup


::Report End




SPYSWEEPER LOG:

********
6:45 PM: | Start of Session, Thursday, October 13, 2005 |
6:45 PM: Spy Sweeper started
6:45 PM: Sweep initiated using definitions version 553
6:45 PM: Starting Memory Sweep
6:46 PM: Memory Sweep Complete, Elapsed Time: 00:00:37
6:46 PM: Starting Registry Sweep
6:46 PM: Registry Sweep Complete, Elapsed Time:00:00:22
6:46 PM: Starting Cookie Sweep
6:46 PM: Found Spy Cookie: atwola cookie
6:46 PM: gale@atwola[1].txt (ID = 2255)
6:46 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
6:46 PM: Starting File Sweep
6:49 PM: File Sweep Complete, Elapsed Time: 00:02:30
6:49 PM: Full Sweep has completed. Elapsed time 00:03:41
6:49 PM: Traces Found: 1
6:49 PM: Removal process initiated
6:49 PM: Quarantining All Traces: atwola cookie
6:49 PM: Removal process completed. Elapsed time 00:00:00




Logfile of HijackThis v1.99.1
Scan saved at 7:16:32 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\jfyhcakdv.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\program files\mailskinner\mailskinner.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yhti.net/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [jfyhcakdv] c:\windows\system32\jfyhcakdv.exe -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...603/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33875E4F-4744-432E-8779-6E9813D4C611}: NameServer = 66.140.208.10
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Edited by showme69, 13 October 2005 - 06:21 PM.

  • 0

#40
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Try this for me.

Click Start -> Run -> and copy this command:
c:\windows\system32\jfyhcakdv.exe -uninstall
and click OK.

You should get a prompt if you really want to uninstall the dialer. You do.


Reboot and post a new hijackthis log.
  • 0

Advertisements


#41
showme69

showme69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
PUP is still poping up as well as the nuker.com window.


Logfile of HijackThis v1.99.1
Scan saved at 3:25:57 PM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\program files\mailskinner\mailskinner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yhti.net/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...603/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33875E4F-4744-432E-8779-6E9813D4C611}: NameServer = 66.140.208.10
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#42
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts

You should get a prompt if you really want to uninstall the dialer. You do.

Did you get this prompt?


Please run a scan with Ewido in Safe mode and post the log here in your next reply.
  • 0

#43
showme69

showme69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
I did get the prompt to uninstall the dialer and I clicked OK.

Don't want to count my chicks before they're hatched but the PUP hasn't popped up yet. I'm totally confused. I did the earlier Ewido scan and it said it deleted all the spyware. This time it found even more including the casino stuff and says it deleted it. I haven't seen the casino popups either. Why would they still have been on there after the earlier scan and removal and this time gone? This stuff boggles my mind.
And I'm still trying to figure out how the casino spyware got on there this week.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:47:10 PM, 10/14/2005
+ Report-Checksum: 3E54C04E

+ Scan result:

C:\Documents and Settings\Gale\Cookies\gale@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@banner.goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@ehg-bestbuy.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Gale\Cookies\gale@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Kelly\Cookies\kelly@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Kelly\Cookies\kelly@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Kelly\Cookies\kelly@casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Kelly\Cookies\kelly@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Kelly\Cookies\kelly@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Kelly\Cookies\kelly@www.casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\WINDOWS\SYSTEM32\msclock32.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\msplock32.dll -> Dialer.Generic : Cleaned with backup


::Report End
  • 0

#44
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Those are just cookies, and not too much to worry about. You're always going to pick up cookies from surfing the net, unless you start blocking them all.

Any sign of msclock32.dll lately?
  • 0

#45
showme69

showme69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Looks like it was finally taken care of. Thanks for your help. Just to help me understand a little better, could you explain what finally allowed it to be deleted when all the other attempts failed?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP