Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32Worm, Other Problems


  • Please log in to reply

#1
rileyd99

rileyd99

    Member

  • Member
  • PipPip
  • 15 posts
Hi there. I had an email returned to me that I didnt send, which was returned due to the possibility of it containing the Win32 Worm, so after some research I realized that many of the people who have posted here prior to me have the same problems...slow moving, problems with programs/internet, etc. Anyway, I have followed a previous post that I found and here is what I did...

I ran adaware and spyware doctor. I then ran trojan hunter and ewido scans. I double checked my windows updates and they are fine. I also ran kasperspy last night, though i did this prior to running the trojan and ewido. Finally, here I am with the logs for ewido, trojan hunter, and HJT. I also turned the system restore off, rebooted, turned it back on, rebooted, and also cleaned out the temp files/cookies.

One other problem, hopefully it will reveal itself here, is that when I go to shutdown I get two error messages stating the SLRACLUI.EXE DLL initialization failed and DMOEDLIN.EXE initialization failed.

Here's the logs...

EWIDO...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:17:55 AM, 11/16/2005
+ Report-Checksum: FADCAB8E

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-3567388149-3575068407-513705992-1005\Software\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-3567388149-3575068407-513705992-1005_Classes\CLSID\\ -> Spyware.AproposMedia : Error during cleaning
:mozilla.10:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.15:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.21:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.74:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.75:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.76:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.77:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.79:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.80:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.81:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.82:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.83:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.100:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.103:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.104:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.105:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.106:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.107:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.109:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.110:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.111:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.112:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.113:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.114:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.115:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.122:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.124:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.126:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.129:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.135:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.141:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.142:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.146:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.147:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.148:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.149:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.150:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.154:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.157:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.159:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.169:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.173:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.521:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.561:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.578:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.580:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.605:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.626:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.629:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.638:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.645:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.649:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.651:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.652:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.653:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.654:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.655:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.669:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.682:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.689:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gsze5yp0.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ehg-foxsports.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ehg-prosavvy.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@counter3.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@counter4.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@counter5.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@counter6.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@counter7.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@counter9.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@fhm.valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup


::Report End

Trojan Hunter

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\Program Files\AT&T\WnClient\Programs\WnCSMServer.exe (Dialer)
1 trojan files found

Kasperspy (last night prior to the above)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, November 15, 2005 20:26:00
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/11/2005
Kaspersky Anti-Virus database records: 150302
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 88360
Number of viruses found: 18
Number of infected objects: 146
Number of suspicious objects: 15
Duration of the scan process: 6767 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\0268597F Infected: Net-Worm.Win32.Mytob.be
C:\Program Files\Norton AntiVirus\Quarantine\04350B90/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\04350B90 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85/[From Mail Delivery System <Mailer-Daemon@server001.foilole.com>][Date Wed, 26 Jan 2005 08:49:21 -0800]/UNNAMED/[From info@illuminationconsultants.com][Date Wed, 26 Jan 2005 11:49:17 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85/[From Mail Delivery System <Mailer-Daemon@server001.foilole.com>][Date Wed, 26 Jan 2005 08:49:21 -0800]/UNNAMED/[From info@illuminationconsultants.com][Date Wed, 26 Jan 2005 11:49:17 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85/[From Mail Delivery System <Mailer-Daemon@server001.foilole.com>][Date Wed, 26 Jan 2005 08:49:21 -0800]/UNNAMED/[From info@illuminationconsultants.com][Date Wed, 26 Jan 2005 11:49:17 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85/[From Mail Delivery System <Mailer-Daemon@server001.foilole.com>][Date Wed, 26 Jan 2005 08:49:21 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0BD863AA/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0BD863AA Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0CBF2AB9/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0CBF2AB9 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0D701E42 Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0D701E42.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0E186F38/[From register@yahoo.com][Date Fri, 06 May 2005 11:53:17 UTC]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0E186F38 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0E8E1E2C.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0E9B461E.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\0EB26C05.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0EEA35C7.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0F072FA7.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0F285383.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0F382571.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0FE92FF2.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\10EA7593.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\10F71D85.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\15490DC5 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\159C5069.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\16180BE0.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\164C5362 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\173F3D5E/mail.zip/mail.txt .scr Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\173F3D5E/mail.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\173F3D5E Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\17684DD7 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\177B3D6A/file.zip/file.htm .scr Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\177B3D6A/file.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\177B3D6A Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\18B176D9 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\19BA34CA/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\19BA34CA Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\1C4C70E4 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\1FF772D9 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\25B06F93.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\28D93126.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\29610269.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\2CC30EA7/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\2CC30EA7 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\2D7A4405/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\2D7A4405 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\30E7324F Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\411F7CE3 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\418460B9/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\418460B9 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\42E044E0.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\42F6505A/khzke.zip/khzke.pif Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\42F6505A/khzke.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\42F6505A Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\49823B08 Infected: Net-Worm.Win32.Mytob.au
C:\Program Files\Norton AntiVirus\Quarantine\4E4C075C.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\513567D6 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\51CE751A Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5A120BFA.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\5ACA42BD Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5B8F3CAC.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\5B9F0E9A.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\633C53E0 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\63DF7F58 Infected: Trojan-Downloader.Java.OpenStream.d
C:\Program Files\Norton AntiVirus\Quarantine\664149C8 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\692644C1 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\6C381511.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\6D567E42 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\71DE0020 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\790B4BE7.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\7D344781/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\7D344781 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\7FE35617/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\7FE35617 Infected: Email-Worm.Win32.NetSky.q
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP647\A0021094.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP647\A0021095.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP650\A0021137.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP651\A0021158.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP651\A0021159.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP651\A0021160.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP651\A0021161.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP651\A0021162.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP651\A0021163.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP651\A0021164.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP676\A0021499.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP677\A0021520.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP677\A0021521.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP677\A0021522.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP677\A0021523.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP677\A0021524.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP677\A0021525.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP677\A0021526.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP680\A0021550.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP680\A0021551.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP680\A0021553.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP680\A0021555.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP680\A0021556.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP681\A0021592.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP681\A0021593.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP681\A0021594.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP681\A0021595.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP681\A0021596.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP681\A0021597.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP681\A0021598.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP684\A0021629.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP684\A0021633.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP684\A0021634.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP685\A0021686.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP685\A0021687.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP685\A0021688.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP685\A0021689.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP685\A0021690.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP685\A0021691.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP685\A0021692.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP689\A0021734.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP690\A0021745.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP690\A0021746.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP690\A0021747.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP690\A0021748.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP690\A0021749.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP690\A0021750.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP690\A0021751.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021773.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021871.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021872.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021873.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021874.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021891.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021892.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021893.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021894.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021895.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021896.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP693\A0021897.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP695\A0021916.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP695\A0021917.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP698\A0022030.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP699\A0022066.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP699\A0022067.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP699\A0022068.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP699\A0022069.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP699\A0022070.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP699\A0022071.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP699\A0022072.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022103.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022104.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022129.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022131.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022132.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022133.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022134.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022135.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022136.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022145.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022146.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP704\A0022183.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{18AC2EAA-6A66-4C32-A00E-B8C5E98B1B03}\RP726\A0022810.dll Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\system32\ddecoins.dll Infected: Trojan.Win32.Crypt.t

Scan process completed.


HJT just now...

Logfile of HijackThis v1.99.1
Scan saved at 9:34:20 AM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\ggviewer67-33.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.fnismls.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://crmls.fnismls...rintControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130289785357
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.q....096/qboax8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://crmls.fnismls...stemChecker.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\
  • 0

Advertisements


#2
rileyd99

rileyd99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
PS...

I just ran another kaspersky online scan and here are the results...

(are there any ways to remove the items using this program??)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 16, 2005 15:00:31
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/11/2005
Kaspersky Anti-Virus database records: 150405
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 84047
Number of viruses found: 15
Number of infected objects: 63
Number of suspicious objects: 15
Duration of the scan process: 7095 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\0268597F Infected: Net-Worm.Win32.Mytob.be
C:\Program Files\Norton AntiVirus\Quarantine\04350B90/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\04350B90 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85/[From Mail Delivery System <Mailer-Daemon@server001.foilole.com>][Date Wed, 26 Jan 2005 08:49:21 -0800]/UNNAMED/[From info@illuminationconsultants.com][Date Wed, 26 Jan 2005 11:49:17 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85/[From Mail Delivery System <Mailer-Daemon@server001.foilole.com>][Date Wed, 26 Jan 2005 08:49:21 -0800]/UNNAMED/[From info@illuminationconsultants.com][Date Wed, 26 Jan 2005 11:49:17 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85/[From Mail Delivery System <Mailer-Daemon@server001.foilole.com>][Date Wed, 26 Jan 2005 08:49:21 -0800]/UNNAMED/[From info@illuminationconsultants.com][Date Wed, 26 Jan 2005 11:49:17 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85/[From Mail Delivery System <Mailer-Daemon@server001.foilole.com>][Date Wed, 26 Jan 2005 08:49:21 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0B1D2C85 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0BD863AA/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0BD863AA Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0CBF2AB9/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0CBF2AB9 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0D701E42 Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0D701E42.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0E186F38/[From register@yahoo.com][Date Fri, 06 May 2005 11:53:17 UTC]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0E186F38 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0E8E1E2C.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0E9B461E.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\0EB26C05.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0EEA35C7.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0F072FA7.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0F285383.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0F382571.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0FE92FF2.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\10EA7593.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\10F71D85.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\15490DC5 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\159C5069.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\16180BE0.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\164C5362 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\173F3D5E/mail.zip/mail.txt .scr Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\173F3D5E/mail.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\173F3D5E Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\17684DD7 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\177B3D6A/file.zip/file.htm .scr Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\177B3D6A/file.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\177B3D6A Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\18B176D9 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\19BA34CA/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\19BA34CA Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\1C4C70E4 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\1FF772D9 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\25B06F93.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\28D93126.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\29610269.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\2CC30EA7/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\2CC30EA7 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\2D7A4405/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\2D7A4405 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\30E7324F Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\411F7CE3 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\418460B9/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\418460B9 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\42E044E0.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\42F6505A/khzke.zip/khzke.pif Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\42F6505A/khzke.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\42F6505A Infected: Email-Worm.Win32.Mydoom.m
C:\Program Files\Norton AntiVirus\Quarantine\49823B08 Infected: Net-Worm.Win32.Mytob.au
C:\Program Files\Norton AntiVirus\Quarantine\4E4C075C.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\513567D6 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\51CE751A Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5A120BFA.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\5ACA42BD Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5B8F3CAC.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\5B9F0E9A.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\633C53E0 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\63DF7F58 Infected: Trojan-Downloader.Java.OpenStream.d
C:\Program Files\Norton AntiVirus\Quarantine\664149C8 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\692644C1 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\6C381511.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\6D567E42 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\71DE0020 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\790B4BE7.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\7D344781/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\7D344781 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\7FE35617/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\7FE35617 Infected: Email-Worm.Win32.NetSky.q
C:\WINDOWS\system32\ddecoins.dll Infected: Trojan.Win32.Crypt.t

Scan process completed.
  • 0

#3
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Ryan, I'm going through your log now and will be back shortly with a reply.

User posted:

PS...here is the most recent HJT log, I just ran it...

Logfile of HijackThis v1.99.1
Scan saved at 9:49:16 AM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AIM\aim.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.fnismls.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://crmls.fnismls...rintControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130289785357
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.q....096/qboax8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://crmls.fnismls...stemChecker.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi Ryan,

Did you just reset system restore, or did you turn it off? If you turned it off, please turn it back on, an infected restore point is better than not having any, in case you may need to use that feature.

There's not much showing in your log and Kaspersky is finding only one infected file.

Please empty the Norton quarantine folder, there's no point in keeping files in quarantine unless you suspect of a false positive..

Open HijackThis and click Scan. Put a check next to these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe fix this entry if you didn't install the program yourself.
O15 - Trusted Zone: *.fnismls.com
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab


Close all other windows except HijackThis and click Fix Checked.
Please update Ewido (do NOT run it yet!)
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed
  • After the updates are installed, exit Ewido

    You already have it installed, so skip the intallation process in the speech below, but update Spysweeper and set it up as below, but don't run a scan yet, we will run it in safe mode.

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make a scan with Spysweeper
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy/save everything in that window to Notepad.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Open Ewido
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Then delete this file if it still exists:

C:\WINDOWS\system32\ddecoins.dll

If you are getting rid of Bodog Poker uninstall it from Control Panel Add/Remove Programs and delete the folder:

C:\Program Files\Bodog Poker

Then please boot back to normal mode and post a new HijackThis log along with the Ewido and Spysweeper logs. Also please tell me which of these have you paid for, which are on trial period (or trial expired)?

Ewido
Spysweeper
Trojan Hunter
Spyware Doctor
  • 0

#5
rileyd99

rileyd99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
First I just wanted to say thank you so much for the help. Second I want to appologize that this took so long to repost...these scans take forever. To answer your last questions, Ewido Spysweeper and Trojan Hunter are all trial versions and I am not sure about Spyware Doctor. I was going to purchase Spysweeper as I only have a couple days left on the trial. Which should I purchase, run? Can I keep them all going at once or is that not any more help?? Also, I didnt delete *fnismls from the HJT log b/c I think it is from my work site..its a real estate mls site. If I am wrong about this I will defintely delete it. Anyhows...heres the logs and thanks again...

Logfile of HijackThis v1.99.1
Scan saved at 6:32:03 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\DMOEDLIN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.fnismls.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://crmls.fnismls...rintControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130289785357
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.q....096/qboax8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://crmls.fnismls...stemChecker.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:21:09 PM, 11/19/2005
+ Report-Checksum: 50728FA0

+ Scan result:

C:\Documents and Settings\user\Cookies\user@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ehg-foxsports.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@mads.com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@news.com[2].txt -> Spyware.Cookie.Com : Cleaned with backup


::Report End

********
1:25 PM: | Start of Session, Saturday, November 19, 2005 |
1:25 PM: Spy Sweeper started
1:25 PM: Sweep initiated using definitions version 574
1:25 PM: Starting Memory Sweep
1:26 PM: Memory Sweep Complete, Elapsed Time: 00:00:55
1:26 PM: Starting Registry Sweep
1:26 PM: Registry Sweep Complete, Elapsed Time:00:00:13
1:26 PM: Starting Cookie Sweep
1:26 PM: Found Spy Cookie: 247realmedia cookie
1:26 PM: user@247realmedia[2].txt (ID = 1953)
1:26 PM: Found Spy Cookie: 2o7.net cookie
1:26 PM: user@2o7[1].txt (ID = 1957)
1:26 PM: Found Spy Cookie: about cookie
1:26 PM: user@about[2].txt (ID = 2037)
1:26 PM: Found Spy Cookie: yieldmanager cookie
1:26 PM: user@ad.yieldmanager[1].txt (ID = 3751)
1:26 PM: Found Spy Cookie: adrevolver cookie
1:26 PM: user@adrevolver[2].txt (ID = 2088)
1:26 PM: user@adrevolver[3].txt (ID = 2088)
1:26 PM: Found Spy Cookie: pointroll cookie
1:26 PM: user@ads.pointroll[1].txt (ID = 3148)
1:26 PM: Found Spy Cookie: advertising cookie
1:26 PM: user@advertising[1].txt (ID = 2175)
1:26 PM: Found Spy Cookie: ask cookie
1:26 PM: user@ask[1].txt (ID = 2245)
1:26 PM: Found Spy Cookie: atlas dmt cookie
1:26 PM: user@atdmt[2].txt (ID = 2253)
1:26 PM: Found Spy Cookie: atwola cookie
1:26 PM: user@atwola[1].txt (ID = 2255)
1:26 PM: Found Spy Cookie: belnk cookie
1:26 PM: user@belnk[1].txt (ID = 2292)
1:26 PM: Found Spy Cookie: burstnet cookie
1:26 PM: user@burstnet[2].txt (ID = 2336)
1:26 PM: Found Spy Cookie: casalemedia cookie
1:26 PM: user@casalemedia[1].txt (ID = 2354)
1:26 PM: Found Spy Cookie: centrport net cookie
1:26 PM: user@centrport[1].txt (ID = 2374)
1:26 PM: user@chemistry.about[2].txt (ID = 2038)
1:26 PM: Found Spy Cookie: clickbank cookie
1:26 PM: user@clickbank[1].txt (ID = 2398)
1:26 PM: user@cnn.122.2o7[1].txt (ID = 1958)
1:26 PM: user@dist.belnk[2].txt (ID = 2293)
1:26 PM: Found Spy Cookie: ru4 cookie
1:26 PM: user@edge.ru4[1].txt (ID = 3269)
1:26 PM: Found Spy Cookie: go.com cookie
1:26 PM: user@espn.go[2].txt (ID = 2729)
1:26 PM: Found Spy Cookie: excite cookie
1:26 PM: user@excite[1].txt (ID = 2631)
1:26 PM: Found Spy Cookie: fastclick cookie
1:26 PM: user@fastclick[2].txt (ID = 2651)
1:26 PM: user@go[2].txt (ID = 2728)
1:26 PM: user@highbeam.122.2o7[1].txt (ID = 1958)
1:26 PM: Found Spy Cookie: howstuffworks cookie
1:26 PM: user@howstuffworks[1].txt (ID = 2805)
1:26 PM: user@jcrew.112.2o7[1].txt (ID = 1958)
1:26 PM: Found Spy Cookie: mrskin cookie
1:26 PM: user@mrskin[1].txt (ID = 3020)
1:26 PM: user@msnportal.112.2o7[1].txt (ID = 1958)
1:26 PM: Found Spy Cookie: nextag cookie
1:26 PM: user@nextag[2].txt (ID = 5014)
1:26 PM: Found Spy Cookie: pro-market cookie
1:26 PM: user@pro-market[2].txt (ID = 3197)
1:26 PM: Found Spy Cookie: questionmarket cookie
1:26 PM: user@questionmarket[1].txt (ID = 3217)
1:26 PM: Found Spy Cookie: realmedia cookie
1:26 PM: user@realmedia[2].txt (ID = 3235)
1:26 PM: user@rsi.espn.go[1].txt (ID = 2729)
1:26 PM: Found Spy Cookie: servedby advertising cookie
1:26 PM: user@servedby.advertising[2].txt (ID = 3335)
1:26 PM: Found Spy Cookie: serving-sys cookie
1:26 PM: user@serving-sys[1].txt (ID = 3343)
1:26 PM: user@sports-att.espn.go[1].txt (ID = 2729)
1:26 PM: user@sports.espn.go[2].txt (ID = 2729)
1:26 PM: Found Spy Cookie: tracking cookie
1:26 PM: user@tracking[2].txt (ID = 3571)
1:26 PM: Found Spy Cookie: tradedoubler cookie
1:26 PM: user@tradedoubler[1].txt (ID = 3575)
1:26 PM: Found Spy Cookie: trafficmp cookie
1:26 PM: user@trafficmp[1].txt (ID = 3581)
1:26 PM: Found Spy Cookie: tribalfusion cookie
1:26 PM: user@tribalfusion[2].txt (ID = 3589)
1:26 PM: Found Spy Cookie: myaffiliateprogram.com cookie
1:26 PM: user@www.myaffiliateprogram[1].txt (ID = 3032)
1:26 PM: Found Spy Cookie: adserver cookie
1:26 PM: user@z1.adserver[1].txt (ID = 2142)
1:26 PM: Found Spy Cookie: zedo cookie
1:26 PM: user@zedo[1].txt (ID = 3762)
1:26 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
1:26 PM: Starting File Sweep
1:45 PM: Warning: Unhandled Archive Type
1:46 PM: File Sweep Complete, Elapsed Time: 00:20:11
1:46 PM: Full Sweep has completed. Elapsed time 00:21:27
1:46 PM: Traces Found: 45
1:56 PM: Removal process initiated
1:56 PM: Quarantining All Traces: 247realmedia cookie
1:56 PM: Quarantining All Traces: 2o7.net cookie
1:56 PM: Quarantining All Traces: about cookie
1:56 PM: Quarantining All Traces: adrevolver cookie
1:56 PM: Quarantining All Traces: adserver cookie
1:56 PM: Quarantining All Traces: advertising cookie
1:56 PM: Quarantining All Traces: ask cookie
1:56 PM: Quarantining All Traces: atlas dmt cookie
1:56 PM: Quarantining All Traces: atwola cookie
1:56 PM: Quarantining All Traces: belnk cookie
1:56 PM: Quarantining All Traces: burstnet cookie
1:56 PM: Quarantining All Traces: casalemedia cookie
1:56 PM: Quarantining All Traces: centrport net cookie
1:56 PM: Quarantining All Traces: clickbank cookie
1:56 PM: Quarantining All Traces: excite cookie
1:56 PM: Quarantining All Traces: fastclick cookie
1:56 PM: Quarantining All Traces: go.com cookie
1:56 PM: Quarantining All Traces: howstuffworks cookie
1:56 PM: Quarantining All Traces: mrskin cookie
1:56 PM: Quarantining All Traces: myaffiliateprogram.com cookie
1:56 PM: Quarantining All Traces: nextag cookie
1:56 PM: Quarantining All Traces: pointroll cookie
1:56 PM: Quarantining All Traces: pro-market cookie
1:56 PM: Quarantining All Traces: questionmarket cookie
1:56 PM: Quarantining All Traces: realmedia cookie
1:56 PM: Quarantining All Traces: ru4 cookie
1:56 PM: Quarantining All Traces: servedby advertising cookie
1:56 PM: Quarantining All Traces: serving-sys cookie
1:56 PM: Quarantining All Traces: tracking cookie
1:56 PM: Quarantining All Traces: tradedoubler cookie
1:56 PM: Quarantining All Traces: trafficmp cookie
1:56 PM: Quarantining All Traces: tribalfusion cookie
1:56 PM: Quarantining All Traces: yieldmanager cookie
1:56 PM: Quarantining All Traces: zedo cookie
1:56 PM: Removal process completed. Elapsed time 00:00:04
********
2:37 PM: | Start of Session, Sunday, November 13, 2005 |
2:37 PM: Spy Sweeper started
2:37 PM: Sweep initiated using definitions version 572
2:37 PM: Starting Memory Sweep
2:42 PM: Memory Sweep Complete, Elapsed Time: 00:04:30
2:42 PM: Starting Registry Sweep
2:43 PM: Registry Sweep Complete, Elapsed Time:00:01:38
2:43 PM: Starting Cookie Sweep
2:43 PM: Found Spy Cookie: 2o7.net cookie
2:43 PM: user@2o7[1].txt (ID = 1957)
2:43 PM: Found Spy Cookie: addynamix cookie
2:43 PM: user@ads.addynamix[1].txt (ID = 2062)
2:43 PM: Found Spy Cookie: pointroll cookie
2:43 PM: user@ads.pointroll[1].txt (ID = 3148)
2:43 PM: Found Spy Cookie: advertising cookie
2:43 PM: user@advertising[1].txt (ID = 2175)
2:43 PM: Found Spy Cookie: atlas dmt cookie
2:43 PM: user@atdmt[2].txt (ID = 2253)
2:43 PM: Found Spy Cookie: atwola cookie
2:43 PM: user@atwola[1].txt (ID = 2255)
2:43 PM: user@buycom.122.2o7[1].txt (ID = 1958)
2:43 PM: Found Spy Cookie: centrport net cookie
2:43 PM: user@centrport[2].txt (ID = 2374)
2:43 PM: user@cnn.122.2o7[1].txt (ID = 1958)
2:43 PM: Found Spy Cookie: coremetrics cookie
2:43 PM: user@data.coremetrics[1].txt (ID = 2472)
2:43 PM: Found Spy Cookie: ru4 cookie
2:43 PM: user@edge.ru4[1].txt (ID = 3269)
2:43 PM: Found Spy Cookie: go.com cookie
2:43 PM: user@espn.go[1].txt (ID = 2729)
2:43 PM: Found Spy Cookie: fastclick cookie
2:43 PM: user@fastclick[2].txt (ID = 2651)
2:43 PM: user@go[2].txt (ID = 2728)
2:43 PM: user@jcrew.112.2o7[1].txt (ID = 1958)
2:43 PM: user@msnportal.112.2o7[1].txt (ID = 1958)
2:43 PM: Found Spy Cookie: nextag cookie
2:43 PM: user@nextag[2].txt (ID = 5014)
2:43 PM: Found Spy Cookie: overture cookie
2:43 PM: user@perf.overture[1].txt (ID = 3106)
2:43 PM: Found Spy Cookie: qsrch cookie
2:43 PM: user@qsrch[2].txt (ID = 3215)
2:43 PM: Found Spy Cookie: questionmarket cookie
2:43 PM: user@questionmarket[1].txt (ID = 3217)
2:43 PM: user@riptownmedia.122.2o7[2].txt (ID = 1958)
2:43 PM: user@rsi.espn.go[1].txt (ID = 2729)
2:43 PM: Found Spy Cookie: servedby advertising cookie
2:43 PM: user@servedby.advertising[1].txt (ID = 3335)
2:43 PM: Found Spy Cookie: serving-sys cookie
2:43 PM: user@serving-sys[1].txt (ID = 3343)
2:43 PM: user@sports-att.espn.go[2].txt (ID = 2729)
2:43 PM: user@sports.espn.go[2].txt (ID = 2729)
2:43 PM: Found Spy Cookie: tradedoubler cookie
2:43 PM: user@tradedoubler[1].txt (ID = 3575)
2:43 PM: Found Spy Cookie: trafficmp cookie
2:43 PM: user@trafficmp[2].txt (ID = 3581)
2:43 PM: Found Spy Cookie: tribalfusion cookie
2:43 PM: user@tribalfusion[2].txt (ID = 3589)
2:43 PM: Found Spy Cookie: adserver cookie
2:43 PM: user@z1.adserver[1].txt (ID = 2142)
2:43 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
2:43 PM: Starting File Sweep
2:58 PM: File Sweep Complete, Elapsed Time: 00:14:43
2:58 PM: Full Sweep has completed. Elapsed time 00:21:05
2:58 PM: Traces Found: 30
7:24 PM: Removal process initiated
7:25 PM: Quarantining All Traces: 2o7.net cookie
7:25 PM: Quarantining All Traces: addynamix cookie
7:25 PM: Quarantining All Traces: adserver cookie
7:25 PM: Quarantining All Traces: advertising cookie
7:25 PM: Quarantining All Traces: atlas dmt cookie
7:25 PM: Quarantining All Traces: atwola cookie
7:25 PM: Quarantining All Traces: centrport net cookie
7:25 PM: Quarantining All Traces: coremetrics cookie
7:25 PM: Quarantining All Traces: fastclick cookie
7:25 PM: Quarantining All Traces: go.com cookie
7:25 PM: Quarantining All Traces: nextag cookie
7:25 PM: Quarantining All Traces: overture cookie
7:25 PM: Quarantining All Traces: pointroll cookie
7:25 PM: Quarantining All Traces: qsrch cookie
7:25 PM: Quarantining All Traces: questionmarket cookie
7:25 PM: Quarantining All Traces: ru4 cookie
7:25 PM: Quarantining All Traces: servedby advertising cookie
7:25 PM: Quarantining All Traces: serving-sys cookie
7:25 PM: Quarantining All Traces: tradedoubler cookie
7:25 PM: Quarantining All Traces: trafficmp cookie
7:25 PM: Quarantining All Traces: tribalfusion cookie
7:25 PM: Removal process completed. Elapsed time 00:00:15
7:25 PM: Deletion from quarantine initiated
7:25 PM: Processing: 2o7.net cookie
7:25 PM: Processing: 888 cookie
7:25 PM: Processing: addynamix cookie
7:25 PM: Processing: adknowledge cookie
7:25 PM: Processing: adprofile cookie
7:25 PM: Processing: adserver cookie
7:25 PM: Processing: advertising cookie
7:25 PM: Processing: apropos
7:25 PM: Processing: atlas dmt cookie
7:25 PM: Processing: atwola cookie
7:25 PM: Processing: burstbeacon cookie
7:25 PM: Processing: burstnet cookie
7:25 PM: Processing: cc214142 cookie
7:25 PM: Processing: centrport net cookie
7:25 PM: Processing: clickandtrack cookie
7:25 PM: Processing: coremetrics cookie
7:25 PM: Processing: domainsponsor cookie
7:25 PM: Processing: ebates money maker
7:25 PM: Processing: exitexchange cookie
7:25 PM: Processing: fastclick cookie
7:25 PM: Processing: go.com cookie
7:25 PM: Processing: hbmediapro cookie
7:25 PM: Processing: hotbar cookie
7:25 PM: Processing: internetoptimizer
7:25 PM: Processing: ist istbar
7:25 PM: Processing: ist sidefind
7:25 PM: Processing: kinghost cookie
7:25 PM: Processing: limeshop
7:25 PM: Processing: nextag cookie
7:25 PM: Processing: overture cookie
7:25 PM: Processing: partypoker cookie
7:25 PM: Processing: pointroll cookie
7:25 PM: Processing: qsrch cookie
7:25 PM: Processing: questionmarket cookie
7:25 PM: Processing: realmedia cookie
7:25 PM: Processing: reliablestats cookie
7:25 PM: Processing: reunion cookie
7:25 PM: Processing: revenue.net cookie
7:25 PM: Processing: rn11 cookie
7:25 PM: Processing: ru4 cookie
7:25 PM: Processing: servedby advertising cookie
7:25 PM: Processing: serving-sys cookie
7:25 PM: Processing: specificclick.com cookie
7:25 PM: Processing: teenax cookie
7:25 PM: Processing: tradedoubler cookie
7:25 PM: Processing: trafficmp cookie
7:25 PM: Processing: tribalfusion cookie
7:25 PM: Processing: videodome cookie
7:25 PM: Processing: websponsors cookie
7:25 PM: Processing: winad
7:25 PM: Processing: www.club-nikki cookie
7:25 PM: Processing: yieldmanager cookie
7:25 PM: Processing: zedo cookie
7:25 PM: Deletion from quarantine completed. Elapsed time 00:00:01
7:32 PM: Your spyware definitions have been updated.
7:32 PM: Your spyware definitions have been updated.
1:20 PM: Updating spyware definitions
1:20 PM: Your definitions are up to date.
1:21 PM: Updating spyware definitions
1:21 PM: Your definitions are up to date.
********
8:26 PM: | Start of Session, Tuesday, November 08, 2005 |
8:26 PM: Spy Sweeper started
8:26 PM: Sweep initiated using definitions version 569
8:26 PM: Starting Memory Sweep
8:30 PM: Found Adware: winad
8:30 PM: Detected running threat: C:\Program Files\Media Access\MediaAccK.exe (ID = 90406)
8:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Media Access (ID = 0)
8:30 PM: Detected running threat: C:\Program Files\Media Access\MediaAccess.exe (ID = 90389)
8:31 PM: Memory Sweep Complete, Elapsed Time: 00:05:30
8:31 PM: Starting Registry Sweep
8:32 PM: Found Adware: internetoptimizer
8:32 PM: HKLM\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 128912)
8:32 PM: HKLM\software\microsoft\windows\currentversion\uninstall\kapabout\ (2 subtraces) (ID = 128924)
8:32 PM: Found Adware: ist istbar
8:32 PM: HKCR\clsid\{7c559105-9ecf-42b8-b3f7-832e75edd959}\ (6 subtraces) (ID = 129055)
8:32 PM: Found Adware: ist software
8:32 PM: HKCR\istx.installer\ (3 subtraces) (ID = 129073)
8:32 PM: HKLM\software\classes\clsid\{7c559105-9ecf-42b8-b3f7-832e75edd959}\ (6 subtraces) (ID = 129079)
8:32 PM: HKLM\software\classes\istx.installer\ (3 subtraces) (ID = 129096)
8:32 PM: HKLM\software\classes\istx.installer\clsid\ (1 subtraces) (ID = 129097)
8:32 PM: HKLM\software\classes\typelib\{89a10d64-83bf-41a4-86a3-7aaf1f8f3d1b}\ (9 subtraces) (ID = 129102)
8:32 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\istbaristbar\ (2 subtraces) (ID = 129119)
8:32 PM: HKCR\typelib\{89a10d64-83bf-41a4-86a3-7aaf1f8f3d1b}\ (9 subtraces) (ID = 129188)
8:32 PM: Found Adware: limeshop
8:32 PM: HKLM\software\microsoft\windows\currentversion\uninstall\limeshop.xml\ (3 subtraces) (ID = 129725)
8:33 PM: HKCR\appid\loaderx.exe\ (1 subtraces) (ID = 147150)
8:33 PM: HKCR\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147151)
8:33 PM: HKCR\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147153)
8:33 PM: HKCR\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147155)
8:33 PM: HKCR\mediaaccess.installer\ (5 subtraces) (ID = 147157)
8:33 PM: HKCR\mediaaccx.installer\ (3 subtraces) (ID = 147158)
8:33 PM: HKLM\software\classes\appid\loaderx.exe\ (1 subtraces) (ID = 147164)
8:33 PM: HKLM\software\classes\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147165)
8:33 PM: HKLM\software\classes\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147167)
8:33 PM: HKLM\software\classes\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147169)
8:33 PM: HKLM\software\classes\mediaaccess.installer\ (5 subtraces) (ID = 147171)
8:33 PM: HKLM\software\classes\mediaaccx.installer\ (3 subtraces) (ID = 147172)
8:33 PM: HKLM\software\classes\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147176)
8:33 PM: HKLM\software\media access\ (3 subtraces) (ID = 147182)
8:33 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (10 subtraces) (ID = 147185)
8:33 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
8:33 PM: HKLM\software\microsoft\windows\currentversion\run\ || media access (ID = 147202)
8:33 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
8:33 PM: HKLM\software\microsoft\windows\currentversion\uninstall\media access\ (2 subtraces) (ID = 147230)
8:33 PM: HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147244)
8:33 PM: HKU\S-1-5-21-3567388149-3575068407-513705992-1005\software\microsoft\internet explorer\menuext\limeshop preferences\ (2 subtraces) (ID = 129724)
8:33 PM: HKU\S-1-5-21-3567388149-3575068407-513705992-1005\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 654042)
8:33 PM: Registry Sweep Complete, Elapsed Time:00:01:20
8:33 PM: Starting Cookie Sweep
8:33 PM: Found Spy Cookie: 2o7.net cookie
8:33 PM: user@2o7[1].txt (ID = 1957)
8:33 PM: Found Spy Cookie: 888 cookie
8:33 PM: user@888[1].txt (ID = 2019)
8:33 PM: Found Spy Cookie: websponsors cookie
8:33 PM: user@a.websponsors[2].txt (ID = 3665)
8:33 PM: Found Spy Cookie: yieldmanager cookie
8:33 PM: user@ad.yieldmanager[1].txt (ID = 3751)
8:33 PM: Found Spy Cookie: adknowledge cookie
8:33 PM: user@adknowledge[1].txt (ID = 2072)
8:33 PM: Found Spy Cookie: hbmediapro cookie
8:33 PM: user@adopt.hbmediapro[2].txt (ID = 2768)
8:33 PM: Found Spy Cookie: hotbar cookie
8:33 PM: user@adopt.hotbar[2].txt (ID = 4207)
8:33 PM: Found Spy Cookie: specificclick.com cookie
8:33 PM: user@adopt.specificclick[2].txt (ID = 3400)
8:33 PM: Found Spy Cookie: adprofile cookie
8:33 PM: user@adprofile[2].txt (ID = 2084)
8:33 PM: Found Spy Cookie: cc214142 cookie
8:33 PM: user@ads.cc214142[2].txt (ID = 2367)
8:33 PM: Found Spy Cookie: pointroll cookie
8:33 PM: user@ads.pointroll[2].txt (ID = 3148)
8:33 PM: Found Spy Cookie: atwola cookie
8:33 PM: user@atwola[1].txt (ID = 2255)
8:33 PM: Found Spy Cookie: burstnet cookie
8:33 PM: user@burstnet[2].txt (ID = 2336)
8:33 PM: Found Spy Cookie: zedo cookie
8:33 PM: user@c5.zedo[1].txt (ID = 3763)
8:33 PM: user@cnn.122.2o7[1].txt (ID = 1958)
8:33 PM: Found Spy Cookie: ru4 cookie
8:33 PM: user@edge.ru4[1].txt (ID = 3269)
8:33 PM: Found Spy Cookie: go.com cookie
8:33 PM: user@espn.go[2].txt (ID = 2729)
8:33 PM: Found Spy Cookie: exitexchange cookie
8:33 PM: user@exitexchange[1].txt (ID = 2633)
8:33 PM: Found Spy Cookie: fastclick cookie
8:33 PM: user@fastclick[2].txt (ID = 2651)
8:33 PM: user@go[1].txt (ID = 2728)
8:33 PM: Found Spy Cookie: clickandtrack cookie
8:33 PM: user@hits.clickandtrack[1].txt (ID = 2397)
8:33 PM: Found Spy Cookie: kinghost cookie
8:33 PM: user@kinghost[1].txt (ID = 2903)
8:33 PM: Found Spy Cookie: domainsponsor cookie
8:33 PM: user@landing.domainsponsor[1].txt (ID = 2535)
8:33 PM: user@msnportal.112.2o7[1].txt (ID = 1958)
8:33 PM: Found Spy Cookie: nextag cookie
8:33 PM: user@nextag[1].txt (ID = 5014)
8:33 PM: Found Spy Cookie: partypoker cookie
8:33 PM: user@partypoker[2].txt (ID = 3111)
8:33 PM: Found Spy Cookie: questionmarket cookie
8:33 PM: user@questionmarket[1].txt (ID = 3217)
8:33 PM: Found Spy Cookie: realmedia cookie
8:33 PM: user@realmedia[2].txt (ID = 3235)
8:33 PM: Found Spy Cookie: reunion cookie
8:33 PM: user@reunion[1].txt (ID = 3255)
8:33 PM: Found Spy Cookie: revenue.net cookie
8:33 PM: user@revenue[1].txt (ID = 3257)
8:33 PM: user@riptownmedia.122.2o7[2].txt (ID = 1958)
8:33 PM: Found Spy Cookie: rn11 cookie
8:33 PM: user@rn11[2].txt (ID = 3261)
8:33 PM: user@rsi.espn.go[1].txt (ID = 2729)
8:33 PM: Found Spy Cookie: serving-sys cookie
8:33 PM: user@serving-sys[1].txt (ID = 3343)
8:33 PM: user@sports-att.espn.go[1].txt (ID = 2729)
8:33 PM: user@sports.espn.go[1].txt (ID = 2729)
8:33 PM: Found Spy Cookie: reliablestats cookie
8:33 PM: user@stats1.reliablestats[1].txt (ID = 3254)
8:33 PM: Found Spy Cookie: trafficmp cookie
8:33 PM: user@trafficmp[2].txt (ID = 3581)
8:33 PM: Found Spy Cookie: videodome cookie
8:33 PM: user@videodome[1].txt (ID = 3638)
8:33 PM: Found Spy Cookie: burstbeacon cookie
8:33 PM: user@www.burstbeacon[1].txt (ID = 2335)
8:33 PM: Found Spy Cookie: www.club-nikki cookie
8:33 PM: user@www.club-nikki[1].txt (ID = 2420)
8:33 PM: Found Spy Cookie: teenax cookie
8:33 PM: user@www.teenax[1].txt (ID = 3504)
8:33 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:33 PM: Starting File Sweep
8:33 PM: Found Adware: ist sidefind
8:33 PM: c:\program files\sidefind (ID = -2147480325)
8:33 PM: c:\program files\media access (4 subtraces) (ID = -2147480020)
8:33 PM: c:\program files\limeshop (33 subtraces) (ID = -2147480733)
8:37 PM: Found Adware: apropos
8:37 PM: wingenerics.dll (ID = 50187)
8:38 PM: limeshop_readme.txt (ID = 65532)
8:38 PM: exec.exe (ID = 50118)
8:39 PM: Spy Installation Shield: found: Adware: winad, version 1.0.0.0 -- Execution Denied
8:42 PM: datamerchlimeshopsaved.dls (ID = 65503)
8:42 PM: mediaaccx.dll (ID = 90415)
8:43 PM: Found Adware: ebates money maker
8:43 PM: limeshop1.exe (ID = 59726)
8:43 PM: optimize.exe (ID = 64087)
8:44 PM: mediaacck.exe (ID = 90406)
8:44 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Media Access (ID = 0)
8:44 PM: mediaaccess.exe (ID = 90389)
8:46 PM: limeshop_script0.htm (ID = 65534)
8:46 PM: limeshop_script0_wo.htm (ID = 65534)
8:46 PM: File Sweep Complete, Elapsed Time: 00:13:12
8:46 PM: Full Sweep has completed. Elapsed time 00:20:11
8:46 PM: Traces Found: 271
8:47 PM: Removal process initiated
8:47 PM: Quarantining All Traces: ist istbar
8:47 PM: Quarantining All Traces: apropos
8:47 PM: apropos is in use. It will be removed on reboot.
8:47 PM: wingenerics.dll is in use. It will be removed on reboot.
8:47 PM: Quarantining All Traces: internetoptimizer
8:47 PM: Quarantining All Traces: ebates money maker
8:47 PM: Quarantining All Traces: ist sidefind
8:47 PM: Quarantining All Traces: ist software
8:47 PM: Quarantining All Traces: limeshop
8:47 PM: Quarantining All Traces: 2o7.net cookie
8:47 PM: Quarantining All Traces: 888 cookie
8:47 PM: Quarantining All Traces: adknowledge cookie
8:47 PM: Quarantining All Traces: adprofile cookie
8:47 PM: Quarantining All Traces: atwola cookie
8:47 PM: Quarantining All Traces: burstbeacon cookie
8:47 PM: Quarantining All Traces: burstnet cookie
8:47 PM: Quarantining All Traces: cc214142 cookie
8:47 PM: Quarantining All Traces: clickandtrack cookie
8:47 PM: Quarantining All Traces: domainsponsor cookie
8:47 PM: Quarantining All Traces: exitexchange cookie
8:47 PM: Quarantining All Traces: fastclick cookie
8:47 PM: Quarantining All Traces: go.com cookie
8:47 PM: Quarantining All Traces: hbmediapro cookie
8:47 PM: Quarantining All Traces: hotbar cookie
8:47 PM: Quarantining All Traces: kinghost cookie
8:47 PM: Quarantining All Traces: nextag cookie
8:47 PM: Quarantining All Traces: partypoker cookie
8:47 PM: Quarantining All Traces: pointroll cookie
8:47 PM: Quarantining All Traces: questionmarket cookie
8:47 PM: Quarantining All Traces: realmedia cookie
8:47 PM: Quarantining All Traces: reliablestats cookie
8:47 PM: Quarantining All Traces: reunion cookie
8:47 PM: Quarantining All Traces: revenue.net cookie
8:47 PM: Quarantining All Traces: rn11 cookie
8:47 PM: Quarantining All Traces: ru4 cookie
8:47 PM: Quarantining All Traces: serving-sys cookie
8:47 PM: Quarantining All Traces: specificclick.com cookie
8:47 PM: Quarantining All Traces: teenax cookie
8:47 PM: Quarantining All Traces: trafficmp cookie
8:47 PM: Quarantining All Traces: videodome cookie
8:47 PM: Quarantining All Traces: websponsors cookie
8:47 PM: Quarantining All Traces: www.club-nikki cookie
8:47 PM: Quarantining All Traces: yieldmanager cookie
8:47 PM: Quarantining All Traces: zedo cookie
8:48 PM: Quarantining All Traces: winad
8:48 PM: winad is in use. It will be removed on reboot.
8:48 PM: Preparing to restart your computer. Please wait...
8:48 PM: Removal process completed. Elapsed time 00:00:59
7:26 PM: Your spyware definitions have been updated.
7:20 PM: The Spy Communication shield has blocked access to: banners.pennyweb.com
7:20 PM: The Spy Communication shield has blocked access to: banners.pennyweb.com
7:26 PM: Processing Startup Alerts
7:26 PM: Allowed Startup entry: iTunesHelper
7:27 PM: Your spyware definitions have been updated.
7:30 PM: Processing Startup Alerts
7:30 PM: Allowed Startup entry: QuickTime Task
********
7:32 PM: | Start of Session, Tuesday, November 08, 2005 |
7:32 PM: Spy Sweeper started
7:32 PM: Sweep initiated using definitions version 569
7:32 PM: Starting Memory Sweep
7:39 PM: Found Adware: winad
7:39 PM: Detected running threat: C:\Program Files\Media Access\MediaAccK.exe (ID = 90406)
7:39 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Media Access (ID = 0)
7:41 PM: Detected running threat: C:\Program Files\Media Access\MediaAccess.exe (ID = 90389)
7:47 PM: Memory Sweep Complete, Elapsed Time: 00:14:09
7:47 PM: Starting Registry Sweep
7:47 PM: Found Adware: internetoptimizer
7:47 PM: HKLM\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 128912)
7:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\kapabout\ (2 subtraces) (ID = 128924)
7:47 PM: Found Adware: ist istbar
7:47 PM: HKCR\clsid\{7c559105-9ecf-42b8-b3f7-832e75edd959}\ (6 subtraces) (ID = 129055)
7:47 PM: Found Adware: ist software
7:47 PM: HKCR\istx.installer\ (3 subtraces) (ID = 129073)
7:47 PM: HKLM\software\classes\clsid\{7c559105-9ecf-42b8-b3f7-832e75edd959}\ (6 subtraces) (ID = 129079)
7:47 PM: HKLM\software\classes\istx.installer\ (3 subtraces) (ID = 129096)
7:47 PM: HKLM\software\classes\istx.installer\clsid\ (1 subtraces) (ID = 129097)
7:47 PM: HKLM\software\classes\typelib\{89a10d64-83bf-41a4-86a3-7aaf1f8f3d1b}\ (9 subtraces) (ID = 129102)
7:47 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\istbaristbar\ (2 subtraces) (ID = 129119)
7:47 PM: HKCR\typelib\{89a10d64-83bf-41a4-86a3-7aaf1f8f3d1b}\ (9 subtraces) (ID = 129188)
7:47 PM: Found Adware: limeshop
7:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\limeshop.xml\ (3 subtraces) (ID = 129725)
7:47 PM: HKCR\appid\loaderx.exe\ (1 subtraces) (ID = 147150)
7:47 PM: HKCR\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147151)
7:47 PM: HKCR\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147153)
7:47 PM: HKCR\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147155)
7:47 PM: HKCR\mediaaccess.installer\ (5 subtraces) (ID = 147157)
7:47 PM: HKCR\mediaaccx.installer\ (3 subtraces) (ID = 147158)
7:47 PM: HKLM\software\classes\appid\loaderx.exe\ (1 subtraces) (ID = 147164)
7:47 PM: HKLM\software\classes\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147165)
7:47 PM: HKLM\software\classes\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147167)
7:47 PM: HKLM\software\classes\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147169)
7:47 PM: HKLM\software\classes\mediaaccess.installer\ (5 subtraces) (ID = 147171)
7:47 PM: HKLM\software\classes\mediaaccx.installer\ (3 subtraces) (ID = 147172)
7:47 PM: HKLM\software\classes\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147176)
7:47 PM: HKLM\software\media access\ (3 subtraces) (ID = 147182)
7:47 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (10 subtraces) (ID = 147185)
7:47 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
7:47 PM: HKLM\software\microsoft\windows\currentversion\run\ || media access (ID = 147202)
7:47 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
7:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\media access\ (2 subtraces) (ID = 147230)
7:47 PM: HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147244)
7:47 PM: HKU\S-1-5-21-3567388149-3575068407-513705992-1005\software\microsoft\internet explorer\menuext\limeshop preferences\ (2 subtraces) (ID = 129724)
7:47 PM: HKU\S-1-5-21-3567388149-3575068407-513705992-1005\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 654042)
7:47 PM: Registry Sweep Complete, Elapsed Time:00:00:25
7:47 PM: Starting Cookie Sweep
7:47 PM: Found Spy Cookie: 2o7.net cookie
7:47 PM: user@2o7[1].txt (ID = 1957)
7:47 PM: Found Spy Cookie: 888 cookie
7:47 PM: user@888[1].txt (ID = 2019)
7:47 PM: Found Spy Cookie: websponsors cookie
7:47 PM: user@a.websponsors[2].txt (ID = 3665)
7:47 PM: Found Spy Cookie: yieldmanager cookie
7:47 PM: user@ad.yieldmanager[1].txt (ID = 3751)
7:47 PM: Found Spy Cookie: adknowledge cookie
7:47 PM: user@adknowledge[1].txt (ID = 2072)
7:47 PM: Found Spy Cookie: hbmediapro cookie
7:47 PM: user@adopt.hbmediapro[2].txt (ID = 2768)
7:47 PM: Found Spy Cookie: hotbar cookie
7:47 PM: user@adopt.hotbar[2].txt (ID = 4207)
7:47 PM: Found Spy Cookie: specificclick.com cookie
7:47 PM: user@adopt.specificclick[2].txt (ID = 3400)
7:47 PM: Found Spy Cookie: adprofile cookie
7:47 PM: user@adprofile[2].txt (ID = 2084)
7:47 PM: Found Spy Cookie: cc214142 cookie
7:47 PM: user@ads.cc214142[2].txt (ID = 2367)
7:47 PM: Found Spy Cookie: pointroll cookie
7:47 PM: user@ads.pointroll[2].txt (ID = 3148)
7:47 PM: Found Spy Cookie: atlas dmt cookie
7:47 PM: user@atdmt[2].txt (ID = 2253)
7:47 PM: Found Spy Cookie: atwola cookie
7:47 PM: user@atwola[1].txt (ID = 2255)
7:47 PM: Found Spy Cookie: burstnet cookie
7:47 PM: user@burstnet[2].txt (ID = 2336)
7:47 PM: Found Spy Cookie: zedo cookie
7:47 PM: user@c5.zedo[1].txt (ID = 3763)
7:47 PM: user@cnn.122.2o7[1].txt (ID = 1958)
7:47 PM: Found Spy Cookie: ru4 cookie
7:47 PM: user@edge.ru4[1].txt (ID = 3269)
7:47 PM: Found Spy Cookie: go.com cookie
7:47 PM: user@espn.go[2].txt (ID = 2729)
7:47 PM: Found Spy Cookie: exitexchange cookie
7:47 PM: user@exitexchange[1].txt (ID = 2633)
7:47 PM: Found Spy Cookie: fastclick cookie
7:47 PM: user@fastclick[2].txt (ID = 2651)
7:47 PM: user@go[2].txt (ID = 2728)
7:47 PM: Found Spy Cookie: clickandtrack cookie
7:47 PM: user@hits.clickandtrack[1].txt (ID = 2397)
7:47 PM: Found Spy Cookie: kinghost cookie
7:47 PM: user@kinghost[1].txt (ID = 2903)
7:47 PM: Found Spy Cookie: domainsponsor cookie
7:47 PM: user@landing.domainsponsor[1].txt (ID = 2535)
7:47 PM: user@msnportal.112.2o7[1].txt (ID = 1958)
7:47 PM: Found Spy Cookie: nextag cookie
7:47 PM: user@nextag[1].txt (ID = 5014)
7:47 PM: Found Spy Cookie: partypoker cookie
7:47 PM: user@partypoker[2].txt (ID = 3111)
7:47 PM: Found Spy Cookie: questionmarket cookie
7:47 PM: user@questionmarket[1].txt (ID = 3217)
7:47 PM: Found Spy Cookie: realmedia cookie
7:47 PM: user@realmedia[2].txt (ID = 3235)
7:47 PM: Found Spy Cookie: reunion cookie
7:47 PM: user@reunion[1].txt (ID = 3255)
7:47 PM: Found Spy Cookie: revenue.net cookie
7:47 PM: user@revenue[1].txt (ID = 3257)
7:47 PM: user@riptownmedia.122.2o7[2].txt (ID = 1958)
7:47 PM: Found Spy Cookie: rn11 cookie
7:47 PM: user@rn11[2].txt (ID = 3261)
7:47 PM: user@rsi.espn.go[1].txt (ID = 2729)
7:47 PM: Found Spy Cookie: serving-sys cookie
7:47 PM: user@serving-sys[1].txt (ID = 3343)
7:47 PM: user@sports-att.espn.go[1].txt (ID = 2729)
7:47 PM: user@sports.espn.go[1].txt (ID = 2729)
7:47 PM: Found Spy Cookie: reliablestats cookie
7:47 PM: user@stats1.reliablestats[1].txt (ID = 3254)
7:47 PM: Found Spy Cookie: trafficmp cookie
7:47 PM: user@trafficmp[2].txt (ID = 3581)
7:47 PM: Found Spy Cookie: videodome cookie
7:47 PM: user@videodome[1].txt (ID = 3638)
7:47 PM: Found Spy Cookie: burstbeacon cookie
7:47 PM: user@www.burstbeacon[1].txt (ID = 2335)
7:47 PM: Found Spy Cookie: www.club-nikki cookie
7:47 PM: user@www.club-nikki[1].txt (ID = 2420)
7:47 PM: Found Spy Cookie: teenax cookie
7:47 PM: user@www.teenax[1].txt (ID = 3504)
7:47 PM: Found Spy Cookie: adserver cookie
7:47 PM: user@z1.adserver[1].txt (ID = 2142)
7:47 PM: user@zedo[1].txt (ID = 3762)
7:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
7:47 PM: Starting File Sweep
7:47 PM: Found Adware: ist sidefind
7:47 PM: c:\program files\sidefind (ID = -2147480325)
7:47 PM: c:\program files\media access (4 subtraces) (ID = -2147480020)
7:47 PM: c:\program files\limeshop (33 subtraces) (ID = -2147480733)
7:57 PM: Found Adware: apropos
7:57 PM: wingenerics.dll (ID = 50187)
7:59 PM: limeshop_readme.txt (ID = 65532)
7:59 PM: exec.exe (ID = 50118)
8:07 PM: datamerchlimeshopsaved.dls (ID = 65503)
8:08 PM: mediaaccx.dll (ID = 90415)
8:08 PM: Found Adware: ebates money maker
8:08 PM: limeshop1.exe (ID = 59726)
8:09 PM: optimize.exe (ID = 64087)
8:10 PM: mediaacck.exe (ID = 90406)
8:10 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Media Access (ID = 0)
8:10 PM: mediaaccess.exe (ID = 90389)
8:16 PM: limeshop_script0.htm (ID = 65534)
8:16 PM: limeshop_script0_wo.htm (ID = 65534)
8:16 PM: Found System Monitor: potentially rootkit-masked files
8:16 PM: 000066c4_4358043f_0004ae4b (ID = 0)
8:16 PM: 00007504_4366c799_0003f416 (ID = 0)
8:16 PM: 0000765c_4368c3af_0008b689 (ID = 0)
8:16 PM: 00007de2_4366b0ca_0003dc58 (ID = 0)
8:16 PM: 00004944_43567b57_000c2723 (ID = 0)
8:16 PM: 000006bb_4366c819_000b3288 (ID = 0)
8:16 PM: 00005c62_436c1707_0002fa73 (ID = 0)
8:16 PM: 000068c0_4367f006_00028958 (ID = 0)
8:16 PM: 0000113f_436c14f1_00037833 (ID = 0)
8:16 PM: 00001e28_436a4397_00092ab8 (ID = 0)
8:16 PM: 00004efe_43638498_0009693c (ID = 0)
8:16 PM: 00006601_4366c7a4_0000ae3b (ID = 0)
8:16 PM: 000026e9_435d7682_000a4966 (ID = 0)
8:16 PM: 00007504_436bc0ac_00080c00 (ID = 0)
8:16 PM: 0000590e_43568325_00068b69 (ID = 0)
8:16 PM: 00004a0e_4364392a_000966ac (ID = 0)
8:16 PM: 00002c49_43580517_00054d16 (ID = 0)
8:16 PM: 00005005_4362b567_000af7f8 (ID = 0)
8:16 PM: 000066bb_435fc740_000d2926 (ID = 0)
8:16 PM: 00000948_4368cc49_000dda2e (ID = 0)
8:16 PM: 00001b7e_4366b0d1_00027c88 (ID = 0)
8:16 PM: 0000116c_4368c5b8_000e3388 (ID = 0)
8:17 PM: 00000d9f_436aaeb1_00022a34 (ID = 0)
8:17 PM: 00001ad4_4356e01a_000c7443 (ID = 0)
8:17 PM: 00006b36_435c2534_0006dd44 (ID = 0)
8:17 PM: 0000387c_436b8094_0005da78 (ID = 0)
8:17 PM: 0000187e_435c26f6_0003ea8b (ID = 0)
8:17 PM: 00005c8e_436ff13a_0003111c (ID = 0)
8:17 PM: 00005a92_43713ed5_00067b59 (ID = 0)
8:17 PM: 00002ea6_435d7691_0004f661 (ID = 0)
8:17 PM: 0000281c_43713f0c_000bd0ee (ID = 0)
8:17 PM: 0000047e_43569268_0005ec61 (ID = 0)
8:17 PM: 00004230_435fcaae_000cbd94 (ID = 0)
8:17 PM: 00002b13_4368cfb8_0003fae0 (ID = 0)
8:17 PM: 00000029_435fe428_00063351 (ID = 0)
8:17 PM: 000016c5_435804b0_0007c664 (ID = 0)
8:17 PM: 00007ff5_435fc8a1_00099bfc (ID = 0)
8:17 PM: 00001e1f_436a603e_0001bcec (ID = 0)
8:17 PM: 000012db_435fc56b_000a7ef6 (ID = 0)
8:18 PM: 0000328d_4366c7b2_000f0be8 (ID = 0)
8:18 PM: 0000428b_435fc741_000abce0 (ID = 0)
8:18 PM: 0000491c_435fc643_0000e0cc (ID = 0)
8:18 PM: 00002277_43691129_000ef9fb (ID = 0)
8:18 PM: 00000b7f_4366b05b_00089a8c (ID = 0)
8:18 PM: 00005092_436ba96f_000f29fc (ID = 0)
8:18 PM: 00000a28_4362fc2f_00084c7c (ID = 0)
8:18 PM: 00006414_4366b0a6_0009f230 (ID = 0)
8:18 PM: 0000315d_4366b05b_000bd00b (ID = 0)
8:18 PM: 00003dfd_436c170b_0007f4c0 (ID = 0)
8:18 PM: 00005789_4366b05c_00001186 (ID = 0)
8:18 PM: 000073da_435c26d7_00084716 (ID = 0)
8:18 PM: 000056ae_43567b05_0006d628 (ID = 0)
8:18 PM: 0000692c_43569124_000e3ce0 (ID = 0)
8:18 PM: 000013e9_43567d7d_000aca70 (ID = 0)
8:18 PM: 00002524_436c16ad_00071cf3 (ID = 0)
8:18 PM: 0000675f_4366b05c_0002836c (ID = 0)
8:18 PM: 000013b9_4366b05c_000851f0 (ID = 0)
8:18 PM: 000022ee_43568e7e_000e9f00 (ID = 0)
8:18 PM: 0000339a_436a2155_0001d283 (ID = 0)
8:18 PM: 00002c67_4368cc2c_00062f98 (ID = 0)
8:18 PM: 00001249_4366b05c_000963c4 (ID = 0)
8:18 PM: 000054dc_435c2735_0006d41b (ID = 0)
8:18 PM: 0000451c_4368cc2c_0007dde6 (ID = 0)
8:18 PM: Spy Installation Shield: found: Adware: winad, version 1.0.0.0 -- Execution Denied
8:18 PM: 0000527f_4364013f_00070c68 (ID = 0)
8:18 PM: 0000513e_435eae3c_0007fd36 (ID = 0)
8:19 PM: Sweep Canceled
8:25 PM: BHO Shield: found: -- BHO installation allowed at user request
8:26 PM: | End of Session, Tuesday, November 08, 2005 |
********
7:25 PM: | Start of Session, Tuesday, November 08, 2005 |
7:25 PM: Spy Sweeper started
7:26 PM: Your spyware definitions have been updated.
7:27 PM: BHO Shield: found: -- BHO installation allowed at user request
7:31 PM: Memory Shield: Found: Memory-resident threat winad, version 1.0.0.0
7:31 PM: Detected running threat: winad
7:32 PM: | End of Session, Tuesday, November 08, 2005 |


Thanks again...I cant say that enough
  • 0

#6
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Well four programs all of the same functionality is a bit overkill, that's why I asked. If you're planning to pay for one, my vote would definitely go for Spysweeper, but it's your choice..you can keep Ewido still after trial period ends, the only thing missing will be the active protection..you can still update and scan..

Now you know that whenever you run into problems scanning with any program the first thing to do is try again in safe mode..that is true for both antispyware and antivirus.. :tazz:

Spysweeper found these, but I'm not sure if it rid of the complete directories or just the files:

Media Access
sidefind
limeshop


Check if there is an entry for them in Control Panel Add/ Remove Programs and if so, uninstall them..

Then delete these folders if they still exist..

C:\Program Files\Media Access
c:\program files\sidefind
c:\program files\limeshop

Two entries came back in HijackThis, I think the Spysweeper shield interfered with the fixes, let's disable it temporarily..

To disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Exit Spysweeper.
Now open HijackThis and click Scan. Put a check next to these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm


Close all other windows except HijackThis and click Fix Checked.

Then reboot and please post a new HijackThis log. You can reenable Spysweeper shields. Are you having any more problems now?
  • 0

#7
rileyd99

rileyd99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks so much!! I think everything is working much better now. Aside from a couple No Server Found pages when I try to get here directly from Outlook, everything seems to be ok. Internet is running a bit slow, but faster than before. No more error messages when I shut down. As for the programs, I was impressed with the spysweeper, so I was going to pay for that, but what about trojans and the like? Will that program handle that kind of trouble or should I keep one of the other programs to handle that stuff? Thanks again for all the help...I was lost looking at all of these scans! Here is the latest HJT log...


Logfile of HijackThis v1.99.1
Scan saved at 9:20:02 AM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.fnismls.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://crmls.fnismls...rintControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130289785357
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.q....096/qboax8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://crmls.fnismls...stemChecker.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks Again so much.

Ryan
  • 0

#8
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Spysweeper handles trojans, but as I said keep Ewido along with Spysweeper, it is one of the best trojan scanners.

One other thing I noticed is that you get too many spyware cookies. Now most of those cookies are third party cookies and can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click the small triangle next to cookies to expand that tab and put a check next to "for the originating website only". This will prevent third party cookies from being installed on your computer.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

Blocking third party cookies will reduce the amount of spyware cookies significantly, and those scans won't take as long..also Spywareblaster, which I will be recommending below, blocks most known spyware cookies..

To improve performance:

Start>All Programs>Accesories>System Tools

You will see Disk Cleanup and Disk Defagmenter utilities there..

Use them to clean temporary and temporary internet files and to defragment your hard drive..make a habit of running them regularly..

Your log looks clean now.

Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please take the following into consideration to maintain a clean computer.

I'm not sure if your Norton includes a firewall, if not, don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Sygate

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe
  • 0

#9
rileyd99

rileyd99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks so much for all of the help. One last question...will using Disk cleanup or the Defrag erase any of my files? What will those two tools do? Thanks again.

Ryan
  • 0

#10
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Defragmenter relocates files on your hard drive, saving you space for better performance, doesn't delete anything..

Disk cleanup deletes the Temporary Files and Temporary Internet Files, so yes, if you have placed any files in the temporary folders they would get deleted. If you have any files there you want to keep, please move them to a permanent location. :tazz:
  • 0

#11
rileyd99

rileyd99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Awesome...Thanks again!!

Ryan
  • 0

#12
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Thanks for the contribution :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP