Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

"Windows has detected spyware infection" Winhound [CLOSED]

Started by Kid A , Jan 13 2006 02:44 PM

Please log in to reply

#1
Kid A

Posted 13 January 2006 - 02:44 PM

New Member

Member
7 posts

Hi there,

I recently stumbled onto this website while trying to find a cure to this problem. Another user has/had? the same problem and had a thread entitled "2 red x´s in bottom taskbar with pop up". Uncoincidentally, I think they stated that this problem appeared after installing Realplayer. I noticed this problem appeared a day or two after I installed the program on my computer as well. Anyway, I am posting here in hopes that one of you fine people can help me out. I would greatly appreciate it. One thing I´ve noticed that I am encountering that other people do not mention, is that my computer connection continously cuts out every now and then (I have dial up). While noticing this, I open Network connections on my computer and notice that another connection that I have nothing to do with is trying to connect. Say my connection to the internet is called "hey" this connection is called "hey 1". I find this sort of activity alarming. I think this particular problem is classed as "low risk", but I find that strange. Especially since that this connection only appears when tryig to connect, and later disappears when it is unable to. I am unable to delete it, and also it usually only flashes on my screen for a few seconds. I have take screenshots, and have the numbers it dials saved if needed. Anyway, here is my HJT log..

Ok. Well, I just notice that copy and paste isn´t working for some reason. I will try and post it later, I guess. This sometimes happens when my computer was functioning normally, so yeah. Maybe a restart will do the trick. If not, I will try the guide on this website for trying to fix the problem. Thanks for reading this. If you can tell me if the Network Connections thing is strange in regards to this spyware problem, that would be great anyways.

#2
tampabelle

Posted 13 January 2006 - 04:25 PM

Member 5k

Retired Staff
6,363 posts

We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

#3
Kid A

Posted 13 January 2006 - 05:32 PM

New Member

Topic Starter
Member
7 posts

Logfile of HijackThis v1.99.1
Scan saved at 1:12:48 AM, on 1/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\fwnet64.exe
C:\WINDOWS\MsHS64.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\inet20001\services.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\windows\system32\wlmsn.exe
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\ppl32.exe
C:\WINDOWS\System32\kernels64.exe
C:\WINDOWS\System32\priva.exe
C:\WINDOWS\sachostx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\batserv2.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\winstall.exe
C:\WINDOWS\System32\vxh8jkdq1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\sachostc.exe
C:\WINDOWS\System32\sachosts.exe
C:\WINDOWS\inet20001\mm4.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
C:\Program Files\Internet Explorer\IExplore.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System\svwhost.exe
C:\WINDOWS\System32\qvxgamet3.exe
C:\WINDOWS\System32\qvxgamet4.exe
C:\WINDOWS\System32\sysc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.sma...et/7search/?003
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "c:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MsgApi] C:\WINDOWS\System32\csmss.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Windows Taskbar Manager] c:\windows\system32\wlmsn.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [win32] C:\WINDOWS\System32\win32.exe
O4 - HKLM\..\Run: [ppl32] C:\WINDOWS\System32\ppl32.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\priva.exe internat.dll,LoadMouseCarpetProfile
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msvcp.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels64.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O20 - Winlogon Notify: htproc - C:\WINDOWS\SYSTEM32\htproc32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe
O23 - Service: MsHS64 - Unknown owner - C:\WINDOWS\MsHS64.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe" -f -af (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

There is the info you requested. Hope this helps. Rather long list. :tazz:

#4
tampabelle

Posted 13 January 2006 - 06:10 PM

Member 5k

Retired Staff
6,363 posts

Hi,

Next time, before you scan with Hijack This, close all windows other than Hijack This and then proceed to scan. This reduces the list of running processes (you seem to have some 10 IE windows open when this scan was done).

You have a bunch of trojans / malwares on your PC.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log along with Ewido scan report.

#5
Kid A

Posted 14 January 2006 - 02:25 AM

New Member

Topic Starter
Member
7 posts

Hi there,

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 3:11:12 AM, on 1/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\kernels64.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\vxh8jkdq5.exe
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "c:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MsgApi] C:\WINDOWS\System32\csmss.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msvcp.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels64.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [WindowsUpdateNT] C
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A52995E-EFA6-4D75-B1E9-7D7DC65D93C9}: NameServer = 200.68.192.243 64.76.16.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A52995E-EFA6-4D75-B1E9-7D7DC65D93C9}: NameServer = 200.68.192.243 64.76.16.42
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O21 - SSODL: wLYHORZ - {686541B5-C2CF-EB1F-8AA1-507A7DC8A3AC} - C:\WINDOWS\System32\kxwom.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: MsHS64 - Unknown owner - C:\WINDOWS\MsHS64.exe (file missing)
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe" -f -af (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

----------------------------------------------------------

Here is the first log from ewido (I forgot to update initially, and ran the program two time):

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:13:23 AM, 1/14/2006
+ Report-Checksum: BA9A4C3A

+ Scan result:

C:\Documents and Settings\Sir William\Local Settings\Temp\vxt2.game -> Heuristic.Win32.AVKiller : Ignored
C:\WINDOWS\SYSTEM32\vxgamet2.exe -> Heuristic.Win32.AVKiller : Ignored
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F72BC3F0-6C20-4793-9DDA-258589D8A907} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-2825131439-1170255207-2065461856-1006\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2825131439-1170255207-2065461856-1006\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-2825131439-1170255207-2065461856-1006\Software\Search404 -> pyware.404Search : Cleaned with backup
HKU\S-1-5-21-2825131439-1170255207-2065461856-1006\Software\Search404\all -> Spyware.404Search : Cleaned with backup
HKU\S-1-5-21-2825131439-1170255207-2065461856-1006\Software\Search404\all\Info -> Spyware.404Search : Cleaned with backup
[236] C:\WINDOWS\system32\msupdate32.dll -> Backdoor.Delf.ald : Cleaned with backup
C:\Documents and Settings\Cynthia\Cookies\cynthia@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Cynthia\Cookies\cynthia@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Cynthia\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cynthia\Cookies\cynthia@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cynthia\Cookies\cynthia@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\10p[1].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\g3[1].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[10].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[1].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[2].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[3].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[4].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[5].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[6].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[7].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[8].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks7b[9].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks8b[1].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks8b[2].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks8b[3].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks8b[4].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks8b[5].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks8b[6].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks8b[7].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\socks8b[8].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\10p[1].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\g3[1].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\MediaTicketsInstaller[1].cab/MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\mmed[1].cab/mm21.ocx -> Downloader.VB.ez : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\p[1].gif -> Backdoor.Mocbot.a : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\socks7b[1].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\10p[1].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\10p[2].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\10p[3].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\bridge-c7[1].cab/SyncroAdX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\g3[1].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\g3[2].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\g3[3].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\g3[4].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\g3[5].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\g3[6].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\newp[1].exe -> Proxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\newp[2].exe -> Proxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\newp[3].exe -> Proxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\newp[4].exe -> Proxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\newp[5].exe -> Proxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\newp[6].exe -> Proxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\socks7b[1].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\socks7b[2].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\socks7b[3].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\socks7b[4].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\socks7b[5].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\socks7b[6].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\socks7b[7].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\socks7b[8].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\10p[1].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\10p[2].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\10p[3].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\g3[1].exe -> Proxy.Agent.ic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[10].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[11].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[12].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[1].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[2].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[3].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[4].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[5].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[6].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[7].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[8].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks7b[9].jpg -> Proxy.Ranky.cu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks8b[1].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks8b[2].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks8b[3].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks8b[4].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\socks8b[5].jpg -> Proxy.Ranky.cw : Cleaned with backup
C:\Documents and Settings\Sir William\Cookies\sir william@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sir William\Cookies\sir william@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Sir William\Cookies\sir [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sir William\Cookies\sir [email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Sir William\Cookies\sir william@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\1.qtdfmp -> Downloader.Small.asa : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\1213.4516 -> Downloader.Small.aqu : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\2.qtdfmp -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@sexlist[1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\anyuser@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir william@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\Cookies\sir [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\ICD2.tmp\internazionale_ver3.ocx -> Spyware.AdPowerZone : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\iinstall.exe -> Downloader.IstBar : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\optimize.exe -> Downloader.Dyfuca.da : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\oqhprcat.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\rsysinit.exe -> Trojan.ExitWin.z : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\sidefind.exe -> Downloader.IstBar : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\vx2.game -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\vx3.game -> Downloader.CWS.r : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\vx4.game -> Downloader.Small.aqu : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\vxt1.game -> Downloader.Small.cds : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temporary Internet Files\Content.IE5\X7HRJBLM\krab04[1].exe -> Dropper.Agent.ol : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temporary Internet Files\Content.IE5\X7HRJBLM\x_jb[1].exe -> Backdoor.Agent.px : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temporary Internet Files\Content.IE5\ZIABU4NO\loader33[1].exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_80.exe -> Downloader.Mediket.bk : Cleaned with backup
C:\ms32.tmp -> Downloader.Small.azk : Cleaned with backup
C:\Program Files\Internet Explorer\mtziiyhw.exe -> Downloader.Small.ug : Cleaned with backup
C:\Program Files\Internet Explorer\pwpenlqb.exe -> Downloader.Agent.eq : Cleaned with backup
C:\Program Files\Internet Explorer\tizczyds.exe -> Downloader.Small.ug : Cleaned with backup
C:\Program Files\Internet Explorer\ubfjikmz.exe -> Downloader.Agent.ay : Cleaned with backup
C:\Program Files\SideFind\sfexd001 -> Spyware.SideFind : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\fwnet64.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\inet20001\3.00.13.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\inet20001\alg.exe -> Worm.Delf.i : Cleaned with backup
C:\WINDOWS\inet20001\alg.exe.bak -> Worm.Delf.i : Cleaned with backup
C:\WINDOWS\inet20001\mm4.exe -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\inet20001\mm4.exe.bak -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\inet20001\services.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\MsHS64.exe -> Backdoor.SdBot.aiv : Cleaned with backup
C:\WINDOWS\msopt.dll -> Downloader.Small.kq : Cleaned with backup
C:\WINDOWS\re11.REG -> Trojan.LowZones.a : Cleaned with backup
C:\WINDOWS\SYSTEM\svwhost.exe -> Backdoor.Agent.px : Cleaned with backup
C:\WINDOWS\SYSTEM32\10.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\11.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\12.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\13.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\14.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\15.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\16.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\17.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\18.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\19.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\1A.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\1B.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\1C.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\1D.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\1E.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\1F.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\2.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\20.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\21.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\22.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\24.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\26.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\28.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\29.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\2A.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\2B.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\2C.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\2D.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\2E.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\2F.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\32.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\33.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\34.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\35.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\36.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\37.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\38.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\39.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\3A.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\3B.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\3C.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\3D.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\3E.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\3F.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\40.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\41.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\46.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\7E.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\82.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\83.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\84.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\86.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\89.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\8A.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\8C.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\8D.tmp -> Proxy.Ranky.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\9.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\9A.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\9D.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\A.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\B.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\Cihgme32.dll -> Logger.Qukart.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\kkq[1].gif -> Logger.Qukart.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\ldr32a[1].exe -> Downloader.Small.yn : Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\xxxxxxxxxxx[1] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\xxxxxxx[1] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\SYSTEM32\D.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\dnsapi.exe -> Downloader.Small.us : Cleaned with backup
C:\WINDOWS\SYSTEM32\E.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\F.tmp -> Proxy.Ranky.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\Hdialndb.exe -> Logger.Qukart.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\htproc32.dll -> Trojan.Lineage.sk : Cleaned with backup
C:\WINDOWS\SYSTEM32\Iefmllia.exe -> Logger.Qukart.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\K404SearchSetup_MS4.exe -> Spyware.404Search : Cleaned with backup
C:\WINDOWS\SYSTEM32\kxwom.dll -> Proxy.Agent.df : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr32a.exe -> Downloader.Small.yn : Cleaned with backup
C:\WINDOWS\SYSTEM32\Mamfgm32.dll -> Logger.Qukart.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\Mkgjfm32.dll -> Logger.Qukart.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
C:\WINDOWS\SYSTEM32\msupdate32.dll -> Backdoor.Delf.ald : Cleaned with backup
C:\WINDOWS\SYSTEM32\netslv32.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\SYSTEM32\ppl32.exe -> Proxy.Agent.ic : Cleaned with backup
C:\WINDOWS\SYSTEM32\priva.exe -> Downloader.Small.asa : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\2.01.00.dll -> Downloader.Small.me : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\daedle.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\dale.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\elite.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\gamka324.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\he4sy.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\loesvse.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\losve.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\services\sexychat.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\SHAgentNew.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\split1.exe -> Downloader.Small.aqu : Cleaned with backup
C:\WINDOWS\SYSTEM32\tdbO.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP164 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP1872 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP3956 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\SYSTEM32\trofkz.REG -> Trojan.LowZones.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame2.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame3.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame4.exe -> Downloader.Small.aqu : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgamet1.exe -> Downloader.Small.cds : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq1.exe -> Downloader.Small.asa : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq2.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\WINDOWS\SYSTEM32\win32.exe -> Proxy.Agent.ic : Cleaned with backup
C:\WINDOWS\SYSTEM32\wlmsn.exe -> Backdoor.IRCBot.ky : Cleaned with backup
C:\WINDOWS\SYSTEM32\x.bat -> Trojan.Zapchast : Cleaned with backup
C:\WINDOWS\te.exe/trofkz.REG -> Trojan.LowZones.a : Cleaned with backup
C:\WINDOWS\te.exe/x.bat -> Trojan.Zapchast : Cleaned with backup
C:\WINDOWS\Temp\ICD1.tmp\mm21.ocx -> Downloader.VB.ez : Cleaned with backup
C:\WINDOWS\Temp\ICD2.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\Temp\WinWildApp.exe -> Spyware.WinFetcher : Cleaned with backup
C:\WINDOWS\uninstIU.exe -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\warnhp.html -> Hijacker.WallpaperChange : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\~WRF0409.tmp -> Downloader.Zlob.as : Cleaned with backup

::Report End

----------------------------------------------------

Log 2:

+ Created on: 3:07:05 AM, 1/14/2006
+ Report-Checksum: EBF7F21C

+ Scan result:

C:\Documents and Settings\Sir William\Local Settings\Temp\1.qtdfmp -> Downloader.Small.asa : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\2.qtdfmp -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\dmx46.tmp -> Worm.Locksky.y : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\maxdd.game -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temp\qvxt2.game -> Not-A-Virus.SpamTool.Win32.Mailbot.t : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temporary Internet Files\Content.IE5\0S2U4E6G\instupx[1].exe -> Downloader.Agent.acv : Cleaned with backup
C:\Documents and Settings\Sir William\Local Settings\Temporary Internet Files\Content.IE5\PQRJBUVN\r4[1].exe -> Backdoor.Small.jo : Cleaned with backup
C:\Program Files\SideFind -> Adware.SideFind : Cleaned with backup
C:\Program Files\SideFind\sfbho.dll -> Adware.SideFind : Cleaned with backup
C:\Program Files\SideFind\update -> Adware.SideFind : Cleaned with backup
C:\Program Files\WinHound -> Adware.WinHound : Cleaned with backup
C:\Program Files\WinHound\Trash -> Adware.WinHound : Cleaned with backup
C:\WINDOWS\batserv2.exe -> Worm.Locksky.s : Cleaned with backup
C:\WINDOWS\sachostx.exe -> Worm.Locksky.y : Cleaned with backup
C:\WINDOWS\sstray.exe -> Backdoor.Small.jo : Cleaned with backup
C:\WINDOWS\SYSTEM\svchost.exe -> Backdoor.Small.jo : Cleaned with backup
C:\WINDOWS\SYSTEM32\DRIVERS\netpt.sys -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\maxd64.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\SYSTEM32\msvcrl.dll -> Worm.Locksky.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\perfont.exe -> Downloader.Agent.acv : Cleaned with backup
C:\WINDOWS\SYSTEM32\priva.exe -> Downloader.Small.asa : Cleaned with backup
C:\WINDOWS\SYSTEM32\qvxgamet2.exe -> Not-A-Virus.SpamTool.Win32.Mailbot.t : Cleaned with backup
C:\WINDOWS\SYSTEM32\sachostc.exe -> Worm.Locksky.z : Cleaned with backup
C:\WINDOWS\SYSTEM32\sachostp.exe -> Worm.Locksky.x : Cleaned with backup
C:\WINDOWS\SYSTEM32\sachosts.exe -> Worm.Locksky.w : Cleaned with backup
C:\WINDOWS\SYSTEM32\sachostw.exe -> Worm.Locksky.z : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame2.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgamet1.exe -> Downloader.Small.cds : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgamet2.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup

::Report End

----------------------------

At first when I signed back into my computer in normal mode, I noticed that the red circle and white x's were gone. But, when I signed onto the internet they later returned. The Ewido program has been sounding off like mad as well now, finding more infections. I don't know. Are we any closer to solving the problem?
Thanks again.

p.s. The red circle and white x has since disappeared now?? Odd.

edit -

Screenshot:

http://www.boomspeed...yl/suspects.JPG

Those two things I can't seem to get rid of, and I think what is causing
this problem to continue . The 10ppp thing in particular. Every time I signed onto the internet it would open and seem as if it was scanning my computer for a second. It hasn't now, but it did beforehand. That winstall thing was also created on the exact same time I restared and entered into my computer in normal mode. I was reading about this problem elsewhere, and it mentioned that particular thing (I say "thing", because I don't know the technical name. Apllication maybe?? Oh well.). Anyway, I'm just trying to inform you of everything I can. Hope this edit helps you help me better!!

Edited by Kid A, 14 January 2006 - 02:43 AM.

#6
tampabelle

Posted 14 January 2006 - 10:24 AM

Member 5k

Retired Staff
6,363 posts

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log and the contents of smitfiles.txt by using Add Reply.
Let us know if any problems persist.

#7
Kid A

Posted 15 January 2006 - 12:36 AM

New Member

Topic Starter
Member
7 posts

HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 12:53:14 AM, on 1/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\kernels64.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\vxh8jkdq5.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "c:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MsgApi] C:\WINDOWS\System32\csmss.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msvcp.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels64.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [WindowsUpdateNT] C
O4 - HKCU\..\Run: [WindowsUpdate] c:\windows\r4.exe /s
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A52995E-EFA6-4D75-B1E9-7D7DC65D93C9}: NameServer = 200.68.192.243 64.76.16.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A52995E-EFA6-4D75-B1E9-7D7DC65D93C9}: NameServer = 200.68.192.243 64.76.16.42
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O21 - SSODL: wLYHORZ - {686541B5-C2CF-EB1F-8AA1-507A7DC8A3AC} - C:\WINDOWS\System32\kxwom.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: MsHS64 - Unknown owner - C:\WINDOWS\MsHS64.exe (file missing)
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe" -f -af (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

------------------------------------------------------

Smitfiles.txt :

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 01/14/2006
The current time is: 20:56:08.56

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key present!

Running WinHound.com fix!

WinHound.com key was successfully removed!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

quick launch WinHound spyware remover.lnk
Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

svcp.csv
winsub.xml

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 728 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

wininet.dll INFECTED!!

Starting replacement procedure.

~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~

~~~~ dllcache\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~

~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~

~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~

~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~

~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll not present! ~~~~

~~~ A good copy of wininet.dll was not found. Look for more locations. ~~~

----------------------------------------------------------------------------

Activescan report:

Incident Status

Location

Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\mtrslib2[1].js
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\mtrslib2[1].js
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Sir William\Cookies\anyuser@com[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Sir William\Cookies\sir [email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sir William\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sir William\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sir William\Desktop\SpyAxeFix.zip[Process.exe]
Adware:Adware/AzeSearch Not disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\1.qtdfmp
Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\1213.4516
Adware:adware/adsmart Not disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\2.qtdfmp
Dialer:Dialer.FGG Not disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\maxdd.game
Virus:Bck/Galapoper.IJ Disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\vx2.game
Adware:Adware/CWS.Yexe Not disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\vx3.game
Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\vx4.game
Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\vxt1.game
Virus:Trj/Delf.VP Disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\vxt3.game
Virus:Trj/Downloader.HDI Disinfected C:\Documents and Settings\Sir William\Local Settings\Temp\vxt4.game
Virus:W32/Shellot.S.worm Disinfected C:\Documents and Settings\Sir William\Local Settings\Temporary Internet Files\Content.IE5\A54FE9AN\r4[1].exe
Virus:Trj/Downloader.AEU Not disinfected C:\ied_s7.cab[ied_s7_c_30.exe]
Dialer:Dialer.XD Not disinfected C:\ied_s7.cab[ied.inf]
Adware:Adware/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:Adware/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd
Adware:Adware/NetPals Not disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:adware/gator Not disinfected C:\WINDOWS\GatorHDPlugin.log
Adware:adware/dyfuca Not disinfected C:\WINDOWS\nem219.dll
Adware:adware/mediatickets Not disinfected C:\WINDOWS\re12.reg
Virus:W32/Shellot.S.worm Disinfected C:\WINDOWS\SYSTEM\svchost.dll
Virus:W32/Shellot.S.worm Disinfected C:\WINDOWS\SYSTEM\svchost.exe
Adware:adware/cydoor Not disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Virus:Bck/Webber.AB Disinfected C:\WINDOWS\SYSTEM32\foenix.exe
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\kernels64.exe
Adware:Adware/WUpd Not disinfected C:\WINDOWS\SYSTEM32\services\loud234.exe
Virus:Trj/Agent.AT Disinfected C:\WINDOWS\SYSTEM32\services\ovv.exe
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\SYSTEM32\staff.html
Virus:W32/Locksky.AN.worm Disinfected C:\WINDOWS\SYSTEM32\sysc.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP136
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\vxgame4.exe
Virus:Trj/Downloader.HDI Disinfected C:\WINDOWS\SYSTEM32\vxgamet4.exe
Dialer:Dialer.FGG Not disinfected C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe
Virus:Trj/Downloader.HEA Disinfected C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\vxh8jkdq7.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\web.exe
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
Adware:adware/popupsandbanners Not disinfected C:\WINDOWS\teller2.chk
Adware:adware/spysheriff Not disinfected C:\winstall.exe
--------------------------------------------------------------------

The problem is still continuing. Each time I connect to the internet, ewido sounds off and prompts me to clean about ten things in a row. The red circle wasn't there after I ran everything, but I then restarted my computer and it was back. It has since left again, though. I noticed that the winstall thing that I pictured disapeared when I initially ran everything, but when the red circle came back...it since returned. The 10ppp thing never left. I'm pretty sure I ran everything correctly. Can you tell me if I did anything wrong?? I noticed the Panda Activescan said that I still have a virus on my computer, as well as many other bad things. Task Manager continues to be disabled for me as well. Oddly enough, I ran my old ad-aware program I had when I first noticed this problem and it took care of that problem and removed what it was causing it. It was a repeating problem, though. Anyway, any other advice is appreciated. Thanks. :tazz:

#8
tampabelle

Posted 16 January 2006 - 02:35 PM

Member 5k

Retired Staff
6,363 posts

Hi,

Please download wininet.dll. Save it on your desktop and then save a copy of the file in the folder - C:\WINDOWS\system32\dllcache

Delete the files, if found -

C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\GatorHDPlugin.log
C:\WINDOWS\nem219.dll
C:\WINDOWS\re12.reg
C:\WINDOWS\SYSTEM\svchost.dll
C:\WINDOWS\SYSTEM\svchost.exe
C:\WINDOWS\SYSTEM32\cd_clint.dll
C:\WINDOWS\SYSTEM32\foenix.exe
C:\WINDOWS\SYSTEM32\i
C:\WINDOWS\SYSTEM32\kernels64.exe
C:\WINDOWS\SYSTEM32\services\loud234.exe
C:\WINDOWS\SYSTEM32\services\ovv.exe
C:\WINDOWS\SYSTEM32\staff.html
C:\WINDOWS\SYSTEM32\sysc.exe
C:\WINDOWS\SYSTEM32\TFTP136
C:\WINDOWS\SYSTEM32\vxgame4.exe
C:\WINDOWS\SYSTEM32\vxgamet4.exe
C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe
C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe
C:\WINDOWS\SYSTEM32\vxh8jkdq7.exe
C:\WINDOWS\SYSTEM32\web.exe
C:\WINDOWS\teller2.chk
C:\winstall.exe

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

#9
Kid A

Posted 18 January 2006 - 01:41 AM

New Member

Topic Starter
Member
7 posts

Logfile of HijackThis v1.99.1
Scan saved at 2:25:51 AM, on 1/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\kernels64.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "c:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MsgApi] C:\WINDOWS\System32\csmss.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels64.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [WindowsUpdateNT] C
O4 - HKCU\..\Run: [WindowsUpdate] c:\windows\r4.exe /s
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A52995E-EFA6-4D75-B1E9-7D7DC65D93C9}: NameServer = 200.68.192.243 64.76.16.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A52995E-EFA6-4D75-B1E9-7D7DC65D93C9}: NameServer = 200.68.192.243 64.76.16.42
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O21 - SSODL: wLYHORZ - {686541B5-C2CF-EB1F-8AA1-507A7DC8A3AC} - C:\WINDOWS\System32\kxwom.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: MsHS64 - Unknown owner - C:\WINDOWS\MsHS64.exe (file missing)
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe" -f -af (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

----------------------------------------------------------------------

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 01/18/2006
The current time is: 2:13:25.56

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 716 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :tazz:

-------------------------------------------------------------

C:\WINDOWS\teller2.chk - DELETED
C:\WINDOWS\SYSTEM32\web.exe - DELETED
C:\winstall.exe - Not Found
C:\WINDOWS\SYSTEM32\vxh8jkdq7.exe - DELETED. Found as a "PF FILE" is that means anything. In folder called "prefetch".
C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe - DELETED. Found as a "PF FILE" is that means anything. In folder called "prefetch".
C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe - DELETED. Found as a "PF FILE" is that means anything. In folder called "prefetch".
C:\WINDOWS\SYSTEM32\vxgamet4.exe - DELETED.
C:\WINDOWS\SYSTEM32\vxgame4.exe - DELETED. Found as a "PF FILE" is that means anything. In folder called "prefetch".
C:\WINDOWS\SYSTEM32\TFTP136 - Not Found.
C:\WINDOWS\SYSTEM32\sysc.exe - Deleted.
C:\WINDOWS\SYSTEM32\staff.html - Found as html document from 2004. Left alone.
C:\WINDOWS\SYSTEM32\services\ovv.exe - Not Found.
C:\WINDOWS\SYSTEM32\services\loud234.exe - Deleted.
C:\WINDOWS\SYSTEM32\kernels64.exe - Cannot delete. Acess is denied.
C:\WINDOWS\SYSTEM32\i - Not Found.
C:\WINDOWS\SYSTEM32\foenix.exe - Not Found.
C:\WINDOWS\SYSTEM32\cd_clint.dll - Deleted.
C:\WINDOWS\SYSTEM\svchost.exe - Deleted 2 files with that as part of the name, that had been created shortly after I got this thing. I kept another 2 which were made in 2002 and 2003. Should I have deleted those??
C:\WINDOWS\SYSTEM\svchost.dll - Not Found.
C:\WINDOWS\re12.reg - Deleted.
C:\WINDOWS\nem219.dll - Deleted.
C:\WINDOWS\GatorHDPlugin.log - Deleted.
C:\WINDOWS\Downloaded Program Files\ATPartners.inf - Not Found.

Should I empty the Prefetch folder? Of those I mentioned as being only PF files that I deleted, I notice that there the ones that keep on coming back and prompting ewido to ask me to clean them on start up. How do I rid my computer completely of them?? The actual things. That problem is still the same and hasn't changed with that. I haven't seen the red circles for a bit, though. Should I continue running adware as often as possible?? I don't know. My computer is running alot better after everything, but I would like to be rid of these pests once and for all. I'm sorry if it's taking a bit and I continue to ask for help, and you have to come back to this.

Edit: The red circle and white x with the notice "Your computer is infected" has returned now when I started up my jomputer just now.

Edited by Kid A, 18 January 2006 - 03:15 PM.

#10
tampabelle

Posted 18 January 2006 - 07:22 PM

Member 5k

Retired Staff
6,363 posts

Please download the free MWAV antivirus tool from here:
ftp://ftp.microworldsystems.com/download/tools/mwav.exe

Save it to the desktop and run it.

Follow the prompts to scan your system for viruses.

Then please post for me the log of infected files from the BOTTOM panel of the scan window.

Please be patient as it would take quite some time to finish up the scan.

#11
tampabelle

Posted 01 February 2006 - 10:18 AM

Member 5k

Retired Staff
6,363 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

#12
tampabelle

Posted 03 February 2006 - 05:21 PM

Member 5k

Retired Staff
6,363 posts

Topic reopened at the request of the user.

User - Please post the MWAV log and a fresh Hijack This log.

#13
Kid A

Posted 05 February 2006 - 12:45 PM

New Member

Topic Starter
Member
7 posts

MWAV log:

File C:\WINDOWS\System32\kernels64.exe infected by "Trojan-Downloader.Win32.Tibs.bv" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\kernels64.exe infected by "Trojan-Downloader.Win32.Tibs.bv" Virus! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spywarestrike Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spywarestrike Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "coolwebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "paymite Trojan-Spy" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "dyfuca Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spywarestrike Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spywarestrike Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spywarestrike Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "free scratch and win Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "free scratch and win Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "free scratch and win Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "free scratch and win Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "spywarestrike Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "spywarestrike Trojan-Downloader" found in File System! Action Taken: No Action Taken.
File C:\WINDOWS\System32\ii infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\sachostm.exe infected by "Email-Worm.Win32.Locksky.z" Virus! Action Taken: No Action Taken.

--------------------------------------

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:42:40 PM, on 2/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\kernels64.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\DOCUME~1\SIRWIL~1\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\SIRWIL~1\LOCALS~1\Temp\kavss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hpF38.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "c:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MsgApi] C:\WINDOWS\System32\csmss.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels64.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [WindowsUpdateNT] C
O4 - HKCU\..\Run: [WindowsUpdate] c:\windows\r4.exe /s
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A52995E-EFA6-4D75-B1E9-7D7DC65D93C9}: NameServer = 200.68.192.243 64.76.16.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A52995E-EFA6-4D75-B1E9-7D7DC65D93C9}: NameServer = 200.68.192.243 64.76.16.42
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O21 - SSODL: wLYHORZ - {686541B5-C2CF-EB1F-8AA1-507A7DC8A3AC} - C:\WINDOWS\System32\kxwom.dll (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: MsHS64 - Unknown owner - C:\WINDOWS\MsHS64.exe (file missing)
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe" -f -af (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#14
tampabelle

Posted 08 February 2006 - 02:24 PM

Member 5k

Retired Staff
6,363 posts

Hi,

Due to heavy rainfall, my phone line (and net connectivity) was down for the last few days.

Please post a fresh Hijack This log for me to continue.

#15
Kid A

Posted 14 February 2006 - 03:10 PM

New Member

Topic Starter
Member
7 posts

Hey,

Sorry I haven´t posted back yet. To be honest, when you didnt reply back initially I went to another forum and asked for help. The spyware problem has semi been taken care of. Now, I have a new problem. I cant access the internet from my home computer. When I try to connect, I get an "Error 50" "The request is not supported" message or and "Error 50" "The handle is invalid" message. I don´t know what the problem is. Do you have any idea or information that could help me out?

I don´t know if this is against policy here, or if any of you get offended by people going to other websites for assistance also. But, here is my thread on another forum:

http://www.castlecop...ware_Probl.html