Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HELP winfixer problem [RESOLVED]

Started by jfin , Nov 10 2005 04:15 AM

This topic is locked

#1
jfin

Posted 10 November 2005 - 04:15 AM

New Member

Member
5 posts

please help me get rid of this problem

Logfile of HijackThis v1.99.1

Scan saved at 9:12:50 PM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpyCatcher\DeleteSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jeff\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ozemail.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozemail.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.ozemail.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ddaby.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [wpwmgrs] wpwmgrs.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher\SpyCatcher.exe" reminder
O4 - HKLM\..\RunServices: [wpwmgrs] wpwmgrs.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Documents and Settings\jeff\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Documents and Settings\jeff\AddToPSWhiteList.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuke...erInstaller.exe
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....wareScanner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119318266607
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\Software\..\Telephony: DomainName = jeff
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jeff
O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
O21 - SSODL: MAGIX mp3 maker SE - {C4D26D02-D9FF-9CD0-5AE7-EAF09A5DA441} - c:\magix\mp3_maker_se\winyqnm32.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - (no file)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\SpyCatcher\DeleteSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Edited by jfin, 10 November 2005 - 04:49 AM.

#2
Crustyoldbloke

Posted 10 November 2005 - 06:16 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello Jeff and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and the dreaded Virtumonde (Vundo B) infection. Let’s see what we can do with the first sweep.

Firstly could you please disable SpyCatcher from running during the fix, it may just hinder our attempts to change anything.

Please also disable Ewido Guard for the same reason. Open Ewido and remove the guard option.

When your PC has been declared clean, please only enable one of those two programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

You have some entries in your HijackThis log which adds your PC to an outside network (along the lines of a P2P Network); you may not be aware of this. This is called “The Bonjour Package” which is being bundled with iTunes.

You may choose if you want me to delete it, or if you wish to download a programme to disable it, or just leave it as it is. I cannot comment on the consequences of leaving it in place or the efficacy of the disabling programme.

This is the link to the disabling programme: http://gizmoproject.com/jasmine/ select TurnOffBonjour.exe

Download CWShredder CWShredder, unzip it, and save it on the Desktop. Run CWShredder to fix your CWS problem.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
At this point press enter once.
Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:
At this point please type the following file path (make sure to enter it exactly as below!):
- C:\WINDOWS\System32\ddaby.dll
Press Enter to continue with the fix.
Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:
At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\ybadd.*
Press Enter to continue with the fix.
The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items and click FIX CHECKED: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ddaby.dll
O4 - HKLM\..\Run: [wpwmgrs] wpwmgrs.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\RunServices: [wpwmgrs] wpwmgrs.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
O21 - SSODL: MAGIX mp3 maker SE - {C4D26D02-D9FF-9CD0-5AE7-EAF09A5DA441} - c:\magix\mp3_maker_se\winyqnm32.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - (no file)
After you have fixed these items, close Hijackthis.
Press enter to exit the programme then manually reboot your computer.
Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programmes menu).
Set the programme up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the programme.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Reboot normally

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#3
jfin

Posted 11 November 2005 - 06:24 AM

New Member

Topic Starter
Member
5 posts

Desktop
Start menu
Taskbar
Internet browser toolbar

My Computer
Local Disks
Floppy Disk
My Documents
Email
Other Media
Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0

Logfile of HijackThis v1.99.1
Scan saved at 11:17:11 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpyCatcher\DeleteSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jeff\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ozemail.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozemail.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.ozemail.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ddaby.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Documents and Settings\jeff\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Documents and Settings\jeff\AddToPSWhiteList.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuke...erInstaller.exe
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....wareScanner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119318266607
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\Software\..\Telephony: DomainName = jeff
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jeff
O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\SpyCatcher\DeleteSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\ddaby.dll

The second filepath entered was

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 156 'smss.exe'
Error 0x6 : The handle is invalid.

Killing PID 716 'explorer.exe'
Killing PID 716 'explorer.exe'

Killing PID 244 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete c:\windows\system32\ddaby.dll.

Fixing Registry
--------------------------------------------------------------------------------------

#4
Crustyoldbloke

Posted 11 November 2005 - 09:35 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

You still have Virtumonde (Vundo B) infection. You appear to have not entered a second file path into the vundofix tool, according to the report.

Again could you please disable Ewido Guard from running during the fix, it may just hinder our attempts to change anything.

Please also disable SpyCatcher for the same reason.

When your PC has been declared clean, please only enable one of those two programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
At this point press enter once.
Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:
At this point please type the following file path (make sure to enter it exactly as below!):[list] C:\WINDOWS\System32\ddaby.dll

[*]Press Enter to continue with the fix.
[*] Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

[*]At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\ybadd.*
[*]Press Enter to continue with the fix.
[*]The fix will run then HijackThis will open, if it does not open automatically please open it manually.
[*]In HiJackThis, please place a check next to the following items and click FIX CHECKED: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ddaby.dll
O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
After you have fixed these items, close Hijackthis.
Press enter to exit the programme then manually reboot your computer.

Please post a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#5
jfin

Posted 12 November 2005 - 05:03 AM

New Member

Topic Starter
Member
5 posts

Logfile of HijackThis v1.99.1
Scan saved at 9:48:17 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\progra~1\softwin\bitdef~1\bdnews.exe
C:\Documents and Settings\jeff\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ozemail.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozemail.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.ozemail.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find4u.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ddaby.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Documents and Settings\jeff\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Documents and Settings\jeff\AddToPSWhiteList.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuke...erInstaller.exe
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....wareScanner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119318266607
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\Software\..\Telephony: DomainName = jeff
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jeff
O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\WINDOWS\system32\ddaby.dll

The second filepath entered was c:\WINDOWS\system32\ybadd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 156 'smss.exe'
Error 0x6 : The handle is invalid.

Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'

Killing PID 244 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete c:\WINDOWS\system32\ddaby.dll.
c:\WINDOWS\system32\ybadd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

#6
Crustyoldbloke

Posted 12 November 2005 - 08:32 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

You appear to have a problem which I can't see. It could be a system file corruption, a permissions problem or a bad download of the Vundofix.

Ewido Guard is still active. You MUST disable it by opening Ewido and removing the guard option. Normally you have to reboot too to make it effective.

Please delete your copy of the Vundofix and download a fresh one. Try the Vundo fix again but this time in normal mode - do not boot to safe mode. The report will tell you if it was successful. If both files are not deleted, please try this.

Download the Trial Version Spy Sweeper it is a 14-day trial.

Install it.
Once the programme is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, reboot into Safe Mode. Re-open Spysweeper, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Whichever you did, perhaps both, continue with this part.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ddaby.dll
O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll

Click on Fix Checked when finished and exit HijackThis.

Reboot normally.

Please reply with logs for HJT, VundoFix or SpySweeper or both.

#7
jfin

Posted 13 November 2005 - 01:38 AM

New Member

Topic Starter
Member
5 posts

Logfile of HijackThis v1.99.1
Scan saved at 6:20:09 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jeff\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ozemail.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozemail.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.ozemail.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find4u.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Documents and Settings\jeff\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Documents and Settings\jeff\AddToPSWhiteList.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuke...erInstaller.exe
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....wareScanner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119318266607
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\Software\..\Telephony: DomainName = jeff
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jeff
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jeff
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\ddaby.dll

The second filepath entered was c:\windows\system32\ybadd.

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 156 'smss.exe'
Error 0x6 : The handle is invalid.

Killing PID 756 'explorer.exe'
Killing PID 756 'explorer.exe'

Killing PID 244 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

c:\windows\system32\ddaby.dll Deleted sucessfully.
c:\windows\system32\ybadd. Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

********
5:42 PM: | Start of Session, Monday, November 14, 2005 |
5:42 PM: Spy Sweeper started
5:42 PM: Sweep initiated using definitions version 572
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Starting Memory Sweep
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Found Adware: virtumonde
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Detected running threat: C:\WINDOWS\system32\ddaby.dll (ID = 77)
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:42 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Memory Sweep Complete, Elapsed Time: 00:01:01
5:43 PM: Starting Registry Sweep
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Found Adware: screensavers
5:43 PM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140550)
5:43 PM: HKCR\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140552)
5:43 PM: HKCR\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140553)
5:43 PM: HKCR\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140554)
5:43 PM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140555)
5:43 PM: HKLM\software\classes\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140557)
5:43 PM: HKLM\software\classes\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140558)
5:43 PM: HKLM\software\classes\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140559)
5:43 PM: HKLM\software\classes\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140560)
5:43 PM: HKLM\software\classes\screensaversinstaller.installer\ (5 subtraces) (ID = 140561)
5:43 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140562)
5:43 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140563)
5:43 PM: HKLM\software\classes\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140564)
5:43 PM: HKLM\software\classes\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140565)
5:43 PM: HKLM\software\microsoft\windows\currentversion\uninstall\screensaversinstaller\ (2 subtraces) (ID = 140568)
5:43 PM: HKLM\software\screensavers.com\ (15 subtraces) (ID = 140569)
5:43 PM: HKCR\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140570)
5:43 PM: HKCR\screensaversinstaller.installer\ (5 subtraces) (ID = 140571)
5:43 PM: HKCR\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140572)
5:43 PM: HKCR\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140573)
5:43 PM: HKCR\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140574)
5:43 PM: HKCR\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140575)
5:43 PM: Found Trojan Horse: sdbot
5:43 PM: HKU\.default\software\microsoft\windows\currentversion\runonce\ || microsoft windows update (ID = 140592)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Found Adware: cnsmin
5:43 PM: HKCR\clsid\{d449eb58-55af-4695-b216-895d546aed89}\ (11 subtraces) (ID = 393334)
5:43 PM: HKCR\typelib\{b7db519e-7131-47b1-a9f5-da8d061c2611}\ (9 subtraces) (ID = 393356)
5:43 PM: HKLM\software\classes\clsid\{d449eb58-55af-4695-b216-895d546aed89}\ (11 subtraces) (ID = 393465)
5:43 PM: HKLM\software\classes\typelib\{b7db519e-7131-47b1-a9f5-da8d061c2611}\ (9 subtraces) (ID = 393487)
5:43 PM: Found Trojan Horse: trojan-backdoor-zubox
5:43 PM: HKCR\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650832)
5:43 PM: HKLM\software\windows\ || shots (ID = 650869)
5:43 PM: HKLM\software\classes\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650872)
5:43 PM: Found Trojan Horse: trojan-phisher-egold
5:43 PM: HKLM\system\currentcontrolset\services\msudp4\ (11 subtraces) (ID = 652525)
5:43 PM: HKLM\system\currentcontrolset\enum\root\legacy_msudp4\ (10 subtraces) (ID = 658004)
5:43 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
5:43 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
5:43 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
5:43 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
5:43 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324)
5:43 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338)
5:43 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Found Adware: systemprocess
5:43 PM: HKLM\software\system process\ (10 subtraces) (ID = 860391)
5:43 PM: HKLM\software\system process\ || modid (ID = 860392)
5:43 PM: HKLM\software\system process\ || started (ID = 860395)
5:43 PM: HKLM\software\system process\ || installed (ID = 860396)
5:43 PM: HKLM\software\system process\ || dllver (ID = 860397)
5:43 PM: HKLM\software\system process\ || lastupdatetime (ID = 860398)
5:43 PM: HKLM\software\system process\files\ (4 subtraces) (ID = 860399)
5:43 PM: HKLM\software\system process\files\ || system.dat (ID = 860400)
5:43 PM: HKLM\software\system process\files\ || navshext.dll (ID = 860401)
5:43 PM: HKLM\software\system process\files\ || ustart.exe (ID = 860402)
5:43 PM: HKLM\software\system process\files\ || p.dat (ID = 860403)
5:43 PM: HKLM\software\microsoft\windows\currentversion\uninstall\startup\ (2 subtraces) (ID = 860412)
5:43 PM: Found Adware: hotbar
5:43 PM: HKLM\software\spamblockerutility\ (16 subtraces) (ID = 978182)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Found Adware: starware toolbar
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1006\software\starware\ (12 subtraces) (ID = 142866)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1006\software\mzs\mdms\ (7 subtraces) (ID = 480808)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1006\software\mzs\mdms\mzu\ || pt (ID = 656825)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1006\software\system process\ (1 subtraces) (ID = 860389)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1006\software\system process\ || lastptime (ID = 860390)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Found Adware: findthewebsiteyouneed hijacker
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\microsoft\windows\currentversion\run\ || microsoft windows update (ID = 140604)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\starware\ (13 subtraces) (ID = 142866)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\mzs\mdms\ (7 subtraces) (ID = 480808)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
5:43 PM: Found Trojan Horse: trojan-backdoor-us15info
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\mzs\mdms\mzu\ || pt (ID = 656825)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\system process\ (1 subtraces) (ID = 860389)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1005\software\system process\ || lastptime (ID = 860390)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\main\ || search page (ID = 125238)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\main\ || start page (ID = 125239)
5:43 PM: Found Adware: ist software
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\ist\ (1 subtraces) (ID = 129108)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\windows\currentversion\run\ || microsoft windows update (ID = 140604)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\starware\ (12 subtraces) (ID = 142866)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\mzs\mdms\ (7 subtraces) (ID = 480808)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\mzs\mdms\mzu\ || pt (ID = 656825)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\system process\ (1 subtraces) (ID = 860389)
5:43 PM: HKU\WRSS_Profile_S-1-5-21-329068152-1214440339-1417001333-1004\software\system process\ || lastptime (ID = 860390)
5:43 PM: HKU\S-1-5-21-329068152-1214440339-1417001333-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Found Adware: w-find.com hijacker
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: HKU\S-1-5-21-329068152-1214440339-1417001333-1003\software\microsoft\internet explorer\ || {a3dfd66b-f281-421a-b922-426c75e19f06} (ID = 203850)
5:43 PM: HKU\S-1-5-21-329068152-1214440339-1417001333-1003\software\microsoft\internet explorer\ || {34cec74f-8ecf-4125-acf5-d2cd5f6b0715} (ID = 203851)
5:43 PM: HKU\S-1-5-21-329068152-1214440339-1417001333-1003\software\microsoft\internet explorer\ || verkey3prev (ID = 203852)
5:43 PM: HKU\S-1-5-21-329068152-1214440339-1417001333-1003\software\microsoft\internet explorer\ || verkey3 (ID = 203853)
5:43 PM: HKU\S-1-5-21-329068152-1214440339-1417001333-1003\software\system process\ (1 subtraces) (ID = 860389)
5:43 PM: HKU\S-1-5-21-329068152-1214440339-1417001333-1003\software\system process\ || lastptime (ID = 860390)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\runonce\ || microsoft windows update (ID = 140628)
5:43 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: HKU\S-1-5-18\software\system process\ (1 subtraces) (ID = 860389)
5:43 PM: HKU\S-1-5-18\software\system process\ || lastptime (ID = 860390)
5:43 PM: Registry Sweep Complete, Elapsed Time:00:00:28
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:43 PM: Starting Cookie Sweep
5:43 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Found Spy Cookie: 00fun cookie
5:44 PM: ellise@00fun[1].txt (ID = 1909)
5:44 PM: Found Spy Cookie: 247realmedia cookie
5:44 PM: ellise@247realmedia[1].txt (ID = 1953)
5:44 PM: Found Spy Cookie: 2o7.net cookie
5:44 PM: ellise@2o7[2].txt (ID = 1957)
5:44 PM: Found Spy Cookie: 3 cookie
5:44 PM: ellise@3[2].txt (ID = 1959)
5:44 PM: ellise@3[3].txt (ID = 1959)
5:44 PM: Found Spy Cookie: 64.62.232 cookie
5:44 PM: [email protected][1].txt (ID = 1987)
5:44 PM: [email protected][2].txt (ID = 1987)
5:44 PM: Found Spy Cookie: 66.230.183 cookie
5:44 PM: [email protected][1].txt (ID = 1993)
5:44 PM: Found Spy Cookie: 888 cookie
5:44 PM: ellise@888[1].txt (ID = 2019)
5:44 PM: Found Spy Cookie: websponsors cookie
5:44 PM: [email protected][2].txt (ID = 3665)
5:44 PM: Found Spy Cookie: accoona cookie
5:44 PM: ellise@accoona[2].txt (ID = 2041)
5:44 PM: Found Spy Cookie: ad-logics cookie
5:44 PM: ellise@ad-logics[1].txt (ID = 2049)
5:44 PM: Found Spy Cookie: yieldmanager cookie
5:44 PM: [email protected][2].txt (ID = 3751)
5:44 PM: [email protected][3].txt (ID = 3751)
5:44 PM: Found Spy Cookie: adecn cookie
5:44 PM: ellise@adecn[2].txt (ID = 2063)
5:44 PM: Found Spy Cookie: hbmediapro cookie
5:44 PM: [email protected][2].txt (ID = 2768)
5:44 PM: Found Spy Cookie: adrevolver cookie
5:44 PM: ellise@adrevolver[1].txt (ID = 2088)
5:44 PM: ellise@adrevolver[2].txt (ID = 2088)
5:44 PM: Found Spy Cookie: pointroll cookie
5:44 PM: [email protected][2].txt (ID = 3148)
5:44 PM: Found Spy Cookie: advertising cookie
5:44 PM: ellise@advertising[1].txt (ID = 2175)
5:44 PM: Found Spy Cookie: apmebf cookie
5:44 PM: ellise@apmebf[1].txt (ID = 2229)
5:44 PM: Found Spy Cookie: falkag cookie
5:44 PM: [email protected][2].txt (ID = 2650)
5:44 PM: Found Spy Cookie: atlas dmt cookie
5:44 PM: ellise@atdmt[2].txt (ID = 2253)
5:44 PM: Found Spy Cookie: belnk cookie
5:44 PM: [email protected][2].txt (ID = 2293)
5:44 PM: Found Spy Cookie: azjmp cookie
5:44 PM: ellise@azjmp[2].txt (ID = 2270)
5:44 PM: Found Spy Cookie: banner cookie
5:44 PM: ellise@banner[2].txt (ID = 2276)
5:44 PM: ellise@belnk[2].txt (ID = 2292)
5:44 PM: Found Spy Cookie: bluestreak cookie
5:44 PM: ellise@bluestreak[2].txt (ID = 2314)
5:44 PM: Found Spy Cookie: bs.serving-sys cookie
5:44 PM: [email protected][2].txt (ID = 2330)
5:44 PM: Found Spy Cookie: zedo cookie
5:44 PM: [email protected][1].txt (ID = 3763)
5:44 PM: [email protected][2].txt (ID = 3763)
5:44 PM: Found Spy Cookie: casalemedia cookie
5:44 PM: ellise@casalemedia[1].txt (ID = 2354)
5:44 PM: ellise@casalemedia[3].txt (ID = 2354)
5:44 PM: Found Spy Cookie: cassava cookie
5:44 PM: ellise@cassava[1].txt (ID = 2362)
5:44 PM: Found Spy Cookie: centrport net cookie
5:44 PM: ellise@centrport[1].txt (ID = 2374)
5:44 PM: Found Spy Cookie: dbbsrv cookie
5:44 PM: ellise@dbbsrv[1].txt (ID = 2499)
5:44 PM: Found Spy Cookie: go.com cookie
5:44 PM: [email protected][1].txt (ID = 2729)
5:44 PM: [email protected][1].txt (ID = 2729)
5:44 PM: [email protected][1].txt (ID = 2293)
5:44 PM: Found Spy Cookie: fastclick cookie
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: ellise@fastclick[2].txt (ID = 2651)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: ellise@go[1].txt (ID = 2728)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Found Spy Cookie: starware.com cookie
5:44 PM: [email protected][2].txt (ID = 3442)
5:44 PM: Found Spy Cookie: hypertracker.com cookie
5:44 PM: ellise@hypertracker[1].txt (ID = 2817)
5:44 PM: Found Spy Cookie: screensavers.com cookie
5:44 PM: [email protected][2].txt (ID = 3298)
5:44 PM: Found Spy Cookie: linksynergy cookie
5:44 PM: ellise@linksynergy[1].txt (ID = 2926)
5:44 PM: Found Spy Cookie: morwillsearch cookie
5:44 PM: ellise@morwillsearch[2].txt (ID = 3008)
5:44 PM: Found Spy Cookie: touchclarity cookie
5:44 PM: [email protected][1].txt (ID = 3566)
5:44 PM: Found Spy Cookie: nextag cookie
5:44 PM: ellise@nextag[1].txt (ID = 5014)
5:44 PM: Found Spy Cookie: overture cookie
5:44 PM: ellise@overture[1].txt (ID = 3105)
5:44 PM: Found Spy Cookie: paypopup cookie
5:44 PM: ellise@paypopup[2].txt (ID = 3119)
5:44 PM: [email protected][1].txt (ID = 3106)
5:44 PM: [email protected][1].txt (ID = 2729)
5:44 PM: Found Spy Cookie: qksrv cookie
5:44 PM: ellise@qksrv[1].txt (ID = 3213)
5:44 PM: Found Spy Cookie: qsrch cookie
5:44 PM: ellise@qsrch[2].txt (ID = 3215)
5:44 PM: Found Spy Cookie: questionmarket cookie
5:44 PM: ellise@questionmarket[1].txt (ID = 3217)
5:44 PM: Found Spy Cookie: realmedia cookie
5:44 PM: ellise@realmedia[1].txt (ID = 3235)
5:44 PM: Found Spy Cookie: revenue.net cookie
5:44 PM: ellise@revenue[1].txt (ID = 3257)
5:44 PM: Found Spy Cookie: rn11 cookie
5:44 PM: ellise@rn11[2].txt (ID = 3261)
5:44 PM: Found Spy Cookie: adjuggler cookie
5:44 PM: [email protected][1].txt (ID = 2071)
5:44 PM: Found Spy Cookie: rxgenericdrugs cookie
5:44 PM: ellise@rxgenericdrugs[2].txt (ID = 3271)
5:44 PM: [email protected][1].txt (ID = 2650)
5:44 PM: [email protected][1].txt (ID = 3216)
5:44 PM: Found Spy Cookie: servedby advertising cookie
5:44 PM: [email protected][1].txt (ID = 3335)
5:44 PM: Found Spy Cookie: server.iad.liveperson cookie
5:44 PM: [email protected][1].txt (ID = 3341)
5:44 PM: Found Spy Cookie: serving-sys cookie
5:44 PM: ellise@serving-sys[2].txt (ID = 3343)
5:44 PM: ellise@starware[2].txt (ID = 3441)
5:44 PM: Found Spy Cookie: statcounter cookie
5:44 PM: ellise@statcounter[2].txt (ID = 3447)
5:44 PM: Found Spy Cookie: reliablestats cookie
5:44 PM: [email protected][1].txt (ID = 3254)
5:44 PM: Found Spy Cookie: webtrendslive cookie
5:44 PM: [email protected][2].txt (ID = 3667)
5:44 PM: Found Spy Cookie: tickle cookie
5:44 PM: ellise@tickle[1].txt (ID = 3529)
5:44 PM: Found Spy Cookie: tradedoubler cookie
5:44 PM: ellise@tradedoubler[2].txt (ID = 3575)
5:44 PM: Found Spy Cookie: trafficmp cookie
5:44 PM: ellise@trafficmp[2].txt (ID = 3581)
5:44 PM: Found Spy Cookie: tribalfusion cookie
5:44 PM: ellise@tribalfusion[1].txt (ID = 3589)
5:44 PM: [email protected][2].txt (ID = 3298)
5:44 PM: [email protected][1].txt (ID = 3442)
5:44 PM: Found Spy Cookie: adserver cookie
5:44 PM: [email protected][2].txt (ID = 2142)
5:44 PM: ellise@zedo[1].txt (ID = 3762)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: scott@247realmedia[1].txt (ID = 1953)
5:44 PM: scott@2o7[1].txt (ID = 1957)
5:44 PM: scott@3[1].txt (ID = 1959)
5:44 PM: scott@3[3].txt (ID = 1959)
5:44 PM: [email protected][2].txt (ID = 1993)
5:44 PM: [email protected][3].txt (ID = 1993)
5:44 PM: scott@888[1].txt (ID = 2019)
5:44 PM: [email protected][2].txt (ID = 3665)
5:44 PM: scott@accoona[2].txt (ID = 2041)
5:44 PM: Found Spy Cookie: 4u.pl cookie
5:44 PM: [email protected][1].txt (ID = 1978)
5:44 PM: [email protected][1].txt (ID = 3751)
5:44 PM: Found Spy Cookie: bannerbank cookie
5:44 PM: [email protected][1].txt (ID = 2281)
5:44 PM: scott@adecn[1].txt (ID = 2063)
5:44 PM: Found Spy Cookie: adknowledge cookie
5:44 PM: scott@adknowledge[2].txt (ID = 2072)
5:44 PM: [email protected][2].txt (ID = 2768)
5:44 PM: Found Spy Cookie: specificclick.com cookie
5:44 PM: [email protected][2].txt (ID = 3400)
5:44 PM: [email protected][2].txt (ID = 3148)
5:44 PM: Found Spy Cookie: adtech cookie
5:44 PM: scott@adtech[2].txt (ID = 2155)
5:44 PM: scott@advertising[1].txt (ID = 2175)
5:44 PM: scott@apmebf[2].txt (ID = 2229)
5:44 PM: [email protected][2].txt (ID = 2650)
5:44 PM: [email protected][2].txt (ID = 2650)
5:44 PM: [email protected][1].txt (ID = 2650)
5:44 PM: scott@atdmt[2].txt (ID = 2253)
5:44 PM: [email protected][1].txt (ID = 2293)
5:44 PM: scott@azjmp[2].txt (ID = 2270)
5:44 PM: scott@belnk[1].txt (ID = 2292)
5:44 PM: Found Spy Cookie: bravenet cookie
5:44 PM: scott@bravenet[1].txt (ID = 2322)
5:44 PM: [email protected][2].txt (ID = 2330)
5:44 PM: Found Spy Cookie: enhance cookie
5:44 PM: [email protected][1].txt (ID = 2614)
5:44 PM: Found Spy Cookie: goclick cookie
5:44 PM: [email protected][1].txt (ID = 2733)
5:44 PM: scott@casalemedia[1].txt (ID = 2354)
5:44 PM: Found Spy Cookie: sextracker cookie
5:44 PM: [email protected][1].txt (ID = 3362)
5:44 PM: scott@dbbsrv[1].txt (ID = 2499)
5:44 PM: [email protected][1].txt (ID = 2293)
5:44 PM: scott@fastclick[1].txt (ID = 2651)
5:44 PM: Found Spy Cookie: fortunecity cookie
5:44 PM: scott@fortunecity[2].txt (ID = 2686)
5:44 PM: [email protected][2].txt (ID = 3442)
5:44 PM: Found Spy Cookie: hotlog cookie
5:44 PM: scott@hotlog[1].txt (ID = 2801)
5:44 PM: scott@hypertracker[2].txt (ID = 2817)
5:44 PM: [email protected][1].txt (ID = 3298)
5:44 PM: Found Spy Cookie: maxserving cookie
5:44 PM: scott@maxserving[1].txt (ID = 2966)
5:44 PM: scott@morwillsearch[2].txt (ID = 3008)
5:44 PM: Found Spy Cookie: partypoker cookie
5:44 PM: scott@partypoker[1].txt (ID = 3111)
5:44 PM: scott@paypopup[1].txt (ID = 3119)
5:44 PM: scott@qksrv[2].txt (ID = 3213)
5:44 PM: scott@realmedia[1].txt (ID = 3235)
5:44 PM: scott@revenue[2].txt (ID = 3257)
5:44 PM: scott@rn11[1].txt (ID = 3261)
5:44 PM: [email protected][1].txt (ID = 3335)
5:44 PM: [email protected][2].txt (ID = 3341)
5:44 PM: scott@serving-sys[1].txt (ID = 3343)
5:44 PM: scott@sextracker[1].txt (ID = 3361)
5:44 PM: Found Spy Cookie: spylog cookie
5:44 PM: scott@spylog[2].txt (ID = 3415)
5:44 PM: scott@statcounter[1].txt (ID = 3447)
5:44 PM: [email protected][2].txt (ID = 3254)
5:44 PM: Found Spy Cookie: targetnet cookie
5:44 PM: scott@targetnet[2].txt (ID = 3489)
5:44 PM: Found Spy Cookie: toplist cookie
5:44 PM: scott@toplist[1].txt (ID = 3557)
5:44 PM: scott@tradedoubler[1].txt (ID = 3575)
5:44 PM: scott@trafficmp[1].txt (ID = 3581)
5:44 PM: scott@tribalfusion[1].txt (ID = 3589)
5:44 PM: Found Spy Cookie: tripod cookie
5:44 PM: scott@tripod[1].txt (ID = 3591)
5:44 PM: Found Spy Cookie: realtracker cookie
5:44 PM: [email protected][2].txt (ID = 3242)
5:44 PM: Found Spy Cookie: findthewebsiteyouneed cookie
5:44 PM: [email protected][1].txt (ID = 2673)
5:44 PM: Found Spy Cookie: myaffiliateprogram.com cookie
5:44 PM: [email protected][1].txt (ID = 3032)
5:44 PM: [email protected][1].txt (ID = 3298)
5:44 PM: [email protected][1].txt (ID = 3442)
5:44 PM: Found Spy Cookie: xren_cj cookie
5:44 PM: scott@xren_cj[2].txt (ID = 3723)
5:44 PM: scott@xren_cj[3].txt (ID = 3723)
5:44 PM: [email protected][1].txt (ID = 2142)
5:44 PM: scott@zedo[1].txt (ID = 3762)
5:44 PM: [email protected][2].txt (ID = 3751)
5:44 PM: [email protected][2].txt (ID = 2650)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: jeff@belnk[1].txt (ID = 2292)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: jeff@casalemedia[2].txt (ID = 2354)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: [email protected][2].txt (ID = 2293)
5:44 PM: jeff@paypopup[1].txt (ID = 3119)
5:44 PM: [email protected][1].txt (ID = 3106)
5:44 PM: [email protected][1].txt (ID = 3341)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: [email protected][1].txt (ID = 3254)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: jeff@tribalfusion[1].txt (ID = 3589)
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Found Spy Cookie: yadro cookie
5:44 PM: jeff@yadro[2].txt (ID = 3743)
5:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:15
5:44 PM: Starting File Sweep
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger Service. Error: The specified service does not exist as an installed service
5:44 PM: Warning: Windows Messenger Shield: Could not open Messenger S

#8
Crustyoldbloke

Posted 13 November 2005 - 05:08 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Jeff

It would appear that you have some operating system problem/s in the area of Windows Messenger.

The vundofix tool could not work correctly since your input for the second file was incorrect. It was missing the all important asterisk which in computer parlance means "anything". Vundo creates normally three "backward" files with various file suffixes. The delete instruction written that way takes into account all variations.

Does this PC have more than 1 profile? I noticed the name of Scott on the cookie list. Check my first post to you. If this is a multi ID PC, I will need the HJT log from Scott's profile too.

The good news is that the HJT log submitted was clean. How is the PC running now?

#9
jfin

Posted 14 November 2005 - 03:57 PM

New Member

Topic Starter
Member
5 posts

i just wanted to let you know the computer is clean and back to normal.
Thanks for all the help

regards jeff

#10
Crustyoldbloke

Posted 14 November 2005 - 06:24 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

OK Jeff, if you are sure you don't want any further logs checking, but I can't give you the all clear.

I will leave this thread open for a few days in case of misfortune.

#11
Crustyoldbloke

Posted 25 November 2005 - 04:44 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.