Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Darksma, Virtumode, Or Vmonde Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 comingdarkage

comingdarkage

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 06 August 2007 - 09:30 PM

Hello, I've recently been infected by darksma and some other pesky spyware. I've been trying to eliminate it using Adaware, Spybot, my virus protection, etc. to no avail. Here is the HijackThis log just taken. Thanks for the help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:20 PM, on 8/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\?ymantec\m?hta.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://library.unh.edu:8080/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\TOM LEARY IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\TOM LEARY IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {16AFADE3-0630-5ABF-2F75-49B60B38F09B} - C:\WINDOWS\System32\cjcfru.dll
O2 - BHO: (no name) - {22b286f0-b08d-4fbe-b96d-da9757a9026a} - C:\WINDOWS\System32\bop874.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {99777bdc-3a6c-43f1-b001-d1542ac1f62e} - C:\WINDOWS\system32\c_1ftp.dll
O2 - BHO: (no name) - {a9146141-25c3-424b-8e25-9b005d37cb6d} - C:\WINDOWS\System32\comtat.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\tmp46.tmp.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [WinampAgent] "G:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [nwtihen] C:\WINDOWS\nwtihen.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\System32\Starter.Exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\pmkihg.dll",forkonce
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Uta] C:\WINDOWS\?ymantec\m?hta.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\c_1ftp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\c_1ftp.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\c_1ftp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3AE9ED90-4B59-47A0-873B-7B71554B3C3E} (JoystickCtl Class) - http://downloads.bigredswitch.co.uk/joystick.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://mightyrhapsody.multiply.com/photos/uploader.cab
O16 - DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} (PhaseCaster Widget) - http://www.streamerp2p.com/sfiles/phasex.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://anu.popcap.com/games/popcaploader_v5.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.5.128.9,207.5.128.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.5.128.9,207.5.128.10
O20 - AppInit_DLLs: c:\windows\system32\pmkjigg.dll
O20 - Winlogon Notify: bop874 - bop874.dll (file missing)
O20 - Winlogon Notify: comtat - comtat.dll (file missing)
O20 - Winlogon Notify: c_1ftp - C:\WINDOWS\SYSTEM32\c_1ftp.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

--
End of file - 9752 bytes

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:53 PM

Posted 07 August 2007 - 04:19 AM

Hello and welcome aboard :thumbsup:

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 comingdarkage

comingdarkage
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 07 August 2007 - 09:08 AM

Here's the combofix log.

ComboFix 07-08-04.3 - "Tom Leary IV" 2007-08-07 9:37:43.1 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\wnsxs~1
C:\Program Files\wnsxs~1\wuaclt.exe
C:\WINDOWS\system32\c_1ftp.dll
C:\WINDOWS\system32\dn000012a9.dat
C:\WINDOWS\system32\gebcc.exe
C:\WINDOWS\system32\gebya.exe
C:\WINDOWS\system32\tmp46.tmp.dll
C:\WINDOWS\system32\wcpsvcc32.exe
C:\WINDOWS\ymante~1
C:\WINDOWS\ymante~1\m?hta.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\nm


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 10:03 138,416 --a------ C:\WINDOWS\system32\dn000012a9.dat
2007-08-07 10:02 92,828 --a------ C:\WINDOWS\system32\ias855.dll
2007-08-07 10:02 105,383 --a------ C:\WINDOWS\system32\jkkjj.exe
2007-08-07 09:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 17:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-06 13:48 <DIR> d-------- C:\VundoFix Backups
2007-08-06 13:21 131,421 --a------ C:\WINDOWS\pmkihg.dll
2007-08-04 19:29 13,380 --a------ C:\WINDOWS\system32\pmkjigg.dll
2007-08-04 16:00 <DIR> d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\Yahoo!
2007-08-04 16:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-04 15:16 60,928 --a------ C:\WINDOWS\system32\cjcfru.dll
2007-07-31 20:25 84,992 --a------ C:\WINDOWS\WebAssist.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-03-17 16:24 61440 --a------ C:\WINDOWS\system32\W32N50.dll
2013-03-17 04:24 76160 -ra------ C:\WINDOWS\system32\drivers\vnetusbr.sys
2007-08-07 10:04 --------- d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\OpenOffice.org2
2007-08-07 10:03 --------- d-------- C:\Program Files\Steam
2007-08-04 19:32 32768 --a------ C:\WINDOWS\system32\Starter.Exe.vir
2007-08-04 19:31 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe.vir
2007-08-04 12:04 --------- d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\Viewpoint
2007-06-24 14:42 --------- d-------- C:\Program Files\Soulseek
2007-06-23 14:59 --------- d-------- C:\Program Files\Viewpoint
2007-06-23 14:59 --------- d-------- C:\Program Files\AIM6
2007-06-09 14:48 --------- d-------- C:\Program Files\OpenOffice.org 2.2
2005-10-22 15:14 560 --a------ C:\DOCUME~1\TOMLEA~1\APPLIC~1\ViewerApp.dat
2004-10-19 17:08 668 --a------ C:\DOCUME~1\TOMLEA~1\APPLIC~1\waver_2.81.dat
2002-10-28 22:39 6672384 -ra------ C:\Program Files\aom.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16AFADE3-0630-5ABF-2F75-49B60B38F09B}]
2007-08-01 09:43 60928 --a------ C:\WINDOWS\System32\cjcfru.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22b286f0-b08d-4fbe-b96d-da9757a9026a}]
C:\WINDOWS\System32\bop874.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-08-02 19:17 84992 --a------ C:\WINDOWS\WebAssist.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a9146141-25c3-424b-8e25-9b005d37cb6d}]
C:\WINDOWS\System32\comtat.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="G:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50]
"nwtihen"="C:\WINDOWS\nwtihen.exe" []
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 19:41]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.exe" [2004-02-29 22:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 15:29]
"nwiz"="nwiz.exe" [2006-03-09 15:29 C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-11 11:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-17 17:17]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 15:29]
"EnsoniqMixer"="C:\WINDOWS\System32\Starter.Exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2007-06-29 22:32]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 13:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"ISMModule2"="C:\Program Files\ISM\ISMModule2.exe" []
"Uta"="C:\WINDOWS\?ymantec\m?hta.exe" []
"Aaou"="C:\PROGRA~1\WNSXS~1\wuaclt.exe" []

C:\Documents and Settings\Tom Leary IV\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bop874]
bop874.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comtat]
comtat.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ias855]
ias855.dll 2007-08-07 10:02 92828 C:\WINDOWS\system32\ias855.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\pmkjigg.dll

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\System32\drivers\NaiFsRec.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\System32\DRIVERS\sbp2port.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\System32\drivers\cdrbsvsd.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"
R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\System32\DRIVERS\bwcdrv.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 CBBCM43;BUFFALO WLI-CB-G54 Wireless Network Adapter;C:\WINDOWS\System32\DRIVERS\bcmwl5.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
R3 sbpci;SB PCI Family Audio Driver (WDM);C:\WINDOWS\System32\drivers\sbpci.sys
S1 EACMOS;EACMOS;C:\WINDOWS\System32\drivers\EACMOS.SYS
S1 EAWDMFD;EAWDMFD;C:\WINDOWS\System32\drivers\EAWDMFD.sys
S3 aatinrax;aatinrax;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\aatinrax.sys
S3 atirage3;atirage3;C:\WINDOWS\System32\DRIVERS\atimpae.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 ESSIDSET;ESSIDSET;\??\C:\Program Files\BUFFALO\Client Manager\CLIENTMG\ESSIDSET.sys
S3 Gcr432;Gcr432;C:\WINDOWS\System32\Drivers\gcr432.sys
S3 gsplittm;gsplittm;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\gsplittm.sys
S3 kazoo;Kazoo.sys Kazoo Device driver;C:\WINDOWS\System32\Drivers\Kazoo.sys
S3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
S3 oftdisk;oftdisk;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\oftdisk.sys
S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\System32\DRIVERS\SMC1211.SYS
S3 USBFVNETR;ATMEL USB FastVNET (AR);C:\WINDOWS\System32\DRIVERS\vnetusbr.sys
S3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

Contents of the 'Scheduled Tasks' folder
2007-08-05 04:00:00 C:\WINDOWS\Tasks\At1.job
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-07 14:00:00 C:\WINDOWS\Tasks\At11.job
2007-07-29 15:00:30 C:\WINDOWS\Tasks\At12.job
2007-07-29 16:00:30 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-04 17:01:27 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-06 18:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-06 19:00:00 C:\WINDOWS\Tasks\At16.job
2007-08-06 20:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-04 21:00:30 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-06 22:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-06 23:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-07 00:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-07 01:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-07 02:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-08-05 03:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\System32\Q2F56R6L.exe
2007-07-03 21:31:12 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\System32\Q2F56R6L.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 10:03:01
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 10:06:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 10:05

--- E O F ---

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:53 PM

Posted 07 August 2007 - 10:22 AM

Open notepad and copy/paste the text in the quotebox into it

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwtihen"=-
"Uta"=-
"Aaou"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bop874]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comtat]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ias855]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""

File::
C:\WINDOWS\pmkihg.dll
C:\WINDOWS\system32\pmkjigg.dll
C:\WINDOWS\nwtihen.exe
C:\WINDOWS\system32\dn000012a9.dat
C:\WINDOWS\system32\ias855.dll
C:\WINDOWS\system32\jkkjj.exe
C:\WINDOWS\System32\cjcfru.dll
C:\WINDOWS\WebAssist.dll
C:\WINDOWS\System32\bop874.dll
C:\WINDOWS\System32\comtat.dll
C:\WINDOWS\system32\ias855.dll
C:\windows\system32\pmkjigg.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At24.job

Folder::
C:\VundoFix Backups


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 comingdarkage

comingdarkage
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 07 August 2007 - 10:51 AM

Here's the log produced by running the CFScript.

ComboFix 07-08-04.3 - "Tom Leary IV" 2007-08-07 11:39:11.2 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Tom Leary IV\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\VundoFix Backups
C:\WINDOWS\pmkihg.dll
C:\WINDOWS\System32\cjcfru.dll
C:\WINDOWS\system32\dn000012a9.dat
C:\WINDOWS\system32\ias855.dll
C:\WINDOWS\system32\jkkjj.exe
C:\WINDOWS\system32\pmkjigg.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\WebAssist.dll


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 09:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 17:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-04 16:00 <DIR> d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\Yahoo!
2007-08-04 16:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-03-17 16:24 61440 --a------ C:\WINDOWS\system32\W32N50.dll
2013-03-17 04:24 76160 -ra------ C:\WINDOWS\system32\drivers\vnetusbr.sys
2007-08-07 11:48 --------- d-------- C:\Program Files\Steam
2007-08-07 11:48 --------- d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\OpenOffice.org2
2007-08-04 19:32 32768 --a------ C:\WINDOWS\system32\Starter.Exe.vir
2007-08-04 19:31 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe.vir
2007-08-04 12:04 --------- d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\Viewpoint
2007-06-24 14:42 --------- d-------- C:\Program Files\Soulseek
2007-06-23 14:59 --------- d-------- C:\Program Files\Viewpoint
2007-06-23 14:59 --------- d-------- C:\Program Files\AIM6
2007-06-09 14:48 --------- d-------- C:\Program Files\OpenOffice.org 2.2
2005-10-22 15:14 560 --a------ C:\DOCUME~1\TOMLEA~1\APPLIC~1\ViewerApp.dat
2004-10-19 17:08 668 --a------ C:\DOCUME~1\TOMLEA~1\APPLIC~1\waver_2.81.dat
2002-10-28 22:39 6672384 -ra------ C:\Program Files\aom.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22b286f0-b08d-4fbe-b96d-da9757a9026a}]
C:\WINDOWS\System32\bop874.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a9146141-25c3-424b-8e25-9b005d37cb6d}]
C:\WINDOWS\System32\comtat.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="G:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 19:41]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.exe" [2004-02-29 22:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 15:29]
"nwiz"="nwiz.exe" [2006-03-09 15:29 C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-11 11:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-17 17:17]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 15:29]
"EnsoniqMixer"="C:\WINDOWS\System32\Starter.Exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2007-06-29 22:32]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 13:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"ISMModule2"="C:\Program Files\ISM\ISMModule2.exe" []
"Uta"="C:\WINDOWS\?ymantec\m?hta.exe" []
"Aaou"="C:\PROGRA~1\WNSXS~1\wuaclt.exe" []

C:\Documents and Settings\Tom Leary IV\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bop874]
bop874.dll

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\System32\drivers\NaiFsRec.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\System32\DRIVERS\sbp2port.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\System32\drivers\cdrbsvsd.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"
R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\System32\DRIVERS\bwcdrv.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 CBBCM43;BUFFALO WLI-CB-G54 Wireless Network Adapter;C:\WINDOWS\System32\DRIVERS\bcmwl5.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
R3 sbpci;SB PCI Family Audio Driver (WDM);C:\WINDOWS\System32\drivers\sbpci.sys
S1 EACMOS;EACMOS;C:\WINDOWS\System32\drivers\EACMOS.SYS
S1 EAWDMFD;EAWDMFD;C:\WINDOWS\System32\drivers\EAWDMFD.sys
S3 aatinrax;aatinrax;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\aatinrax.sys
S3 atirage3;atirage3;C:\WINDOWS\System32\DRIVERS\atimpae.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 ESSIDSET;ESSIDSET;\??\C:\Program Files\BUFFALO\Client Manager\CLIENTMG\ESSIDSET.sys
S3 Gcr432;Gcr432;C:\WINDOWS\System32\Drivers\gcr432.sys
S3 gsplittm;gsplittm;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\gsplittm.sys
S3 kazoo;Kazoo.sys Kazoo Device driver;C:\WINDOWS\System32\Drivers\Kazoo.sys
S3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
S3 oftdisk;oftdisk;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\oftdisk.sys
S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\System32\DRIVERS\SMC1211.SYS
S3 USBFVNETR;ATMEL USB FastVNET (AR);C:\WINDOWS\System32\DRIVERS\vnetusbr.sys
S3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 11:48:03
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 11:49:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 11:49
C:\ComboFix2.txt ... 2007-08-07 10:06

--- E O F ---

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:53 PM

Posted 07 August 2007 - 11:00 AM

Open notepad again and copy/paste the text in the quotebox into it

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a9146141-25c3-424b-8e25-9b005d37cb6d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22b286f0-b08d-4fbe-b96d-da9757a9026a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bop874]

File::
C:\WINDOWS\System32\bop874.dll
C:\WINDOWS\System32\comtat.dll


Save it as CFScript.txt on your desktop. (Delete the earlier one)

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply along with a fresh HijackThis log. :thumbsup:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#7 comingdarkage

comingdarkage
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 07 August 2007 - 11:13 AM

Here's the CFScript log

ComboFix 07-08-04.3 - "Tom Leary IV" 2007-08-07 12:07:38.3 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Tom Leary IV\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 09:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 17:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-04 16:00 <DIR> d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\Yahoo!
2007-08-04 16:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-03-17 16:24 61440 --a------ C:\WINDOWS\system32\W32N50.dll
2013-03-17 04:24 76160 -ra------ C:\WINDOWS\system32\drivers\vnetusbr.sys
2007-08-07 11:48 --------- d-------- C:\Program Files\Steam
2007-08-07 11:48 --------- d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\OpenOffice.org2
2007-08-04 19:32 32768 --a------ C:\WINDOWS\system32\Starter.Exe.vir
2007-08-04 19:31 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe.vir
2007-08-04 12:04 --------- d-------- C:\DOCUME~1\TOMLEA~1\APPLIC~1\Viewpoint
2007-06-24 14:42 --------- d-------- C:\Program Files\Soulseek
2007-06-23 14:59 --------- d-------- C:\Program Files\Viewpoint
2007-06-23 14:59 --------- d-------- C:\Program Files\AIM6
2007-06-09 14:48 --------- d-------- C:\Program Files\OpenOffice.org 2.2
2005-10-22 15:14 560 --a------ C:\DOCUME~1\TOMLEA~1\APPLIC~1\ViewerApp.dat
2004-10-19 17:08 668 --a------ C:\DOCUME~1\TOMLEA~1\APPLIC~1\waver_2.81.dat
2002-10-28 22:39 6672384 -ra------ C:\Program Files\aom.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="G:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 19:41]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.exe" [2004-02-29 22:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 15:29]
"nwiz"="nwiz.exe" [2006-03-09 15:29 C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-11 11:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-17 17:17]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 15:29]
"EnsoniqMixer"="C:\WINDOWS\System32\Starter.Exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2007-06-29 22:32]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 13:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"ISMModule2"="C:\Program Files\ISM\ISMModule2.exe" []
"Uta"="C:\WINDOWS\?ymantec\m?hta.exe" []
"Aaou"="C:\PROGRA~1\WNSXS~1\wuaclt.exe" []

C:\Documents and Settings\Tom Leary IV\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\System32\drivers\NaiFsRec.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\System32\DRIVERS\sbp2port.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\System32\drivers\cdrbsvsd.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"
R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\System32\DRIVERS\bwcdrv.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 CBBCM43;BUFFALO WLI-CB-G54 Wireless Network Adapter;C:\WINDOWS\System32\DRIVERS\bcmwl5.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
R3 sbpci;SB PCI Family Audio Driver (WDM);C:\WINDOWS\System32\drivers\sbpci.sys
S1 EACMOS;EACMOS;C:\WINDOWS\System32\drivers\EACMOS.SYS
S1 EAWDMFD;EAWDMFD;C:\WINDOWS\System32\drivers\EAWDMFD.sys
S3 aatinrax;aatinrax;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\aatinrax.sys
S3 atirage3;atirage3;C:\WINDOWS\System32\DRIVERS\atimpae.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 ESSIDSET;ESSIDSET;\??\C:\Program Files\BUFFALO\Client Manager\CLIENTMG\ESSIDSET.sys
S3 Gcr432;Gcr432;C:\WINDOWS\System32\Drivers\gcr432.sys
S3 gsplittm;gsplittm;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\gsplittm.sys
S3 kazoo;Kazoo.sys Kazoo Device driver;C:\WINDOWS\System32\Drivers\Kazoo.sys
S3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
S3 oftdisk;oftdisk;\??\C:\DOCUME~1\TOMLEA~1\LOCALS~1\Temp\oftdisk.sys
S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\System32\DRIVERS\SMC1211.SYS
S3 USBFVNETR;ATMEL USB FastVNET (AR);C:\WINDOWS\System32\DRIVERS\vnetusbr.sys
S3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 12:10:43
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 12:11:33
C:\ComboFix-quarantined-files.txt ... 2007-08-07 12:11
C:\ComboFix2.txt ... 2007-08-07 11:49
C:\ComboFix3.txt ... 2007-08-07 10:06

--- E O F ---

----------------------------------------------------------

Here's the fresh HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:46 PM, on 8/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
G:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://library.unh.edu:8080/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\TOM LEARY IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\TOM LEARY IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [WinampAgent] "G:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\System32\Starter.Exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Uta] C:\WINDOWS\?ymantec\m?hta.exe
O4 - HKCU\..\Run: [Aaou] "C:\PROGRA~1\WNSXS~1\wuaclt.exe" -vt ndrv
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3AE9ED90-4B59-47A0-873B-7B71554B3C3E} (JoystickCtl Class) - http://downloads.bigredswitch.co.uk/joystick.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://mightyrhapsody.multiply.com/photos/uploader.cab
O16 - DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} (PhaseCaster Widget) - http://www.streamerp2p.com/sfiles/phasex.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://anu.popcap.com/games/popcaploader_v5.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.5.128.9,207.5.128.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.5.128.9,207.5.128.10
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

--
End of file - 8592 bytes

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:53 PM

Posted 07 August 2007 - 11:29 AM

scan with HijackThis and check the following objects for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Uta] C:\WINDOWS\?ymantec\m?hta.exe
O4 - HKCU\..\Run: [Aaou] "C:\PROGRA~1\WNSXS~1\wuaclt.exe" -vt ndrv
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://anu.popcap.com/games/popcaploader_v5.cab


Now close ALL other open windows but HijackThis and hit FIX CHECKED. Exit HijackThis.

===

Delete the following folder:

C:\Program Files\ISM

===

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

====

Finally... Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :thumbsup:

Hi there, stranger!

#9 comingdarkage

comingdarkage
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 07 August 2007 - 04:20 PM

Incident Status Location

Adware:adware/iedriver Not disinfected c:\windows\system32\terrabyte.exe
Adware:adware/ipinsight Not disinfected c:\windows\inf\conscorr.inf
Adware:adware/keenvalue Not disinfected c:\windows\browserxtras\pn\remove.exe
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Spyware:spyware/shopnav Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/sbsoft Not disinfected Windows Registry
Adware:Adware/Yazzle Not disinfected C:\12A.tmp[++\Yazzle1552OinAdmin.exe]
Virus:Trj/Downloader.MDW Not disinfected C:\12C.tmp[BndDrive.dll]
Adware:Adware/Yazzle Not disinfected C:\1A.tmp[++\Yazzle1552OinAdmin.exe]
Virus:Trj/Downloader.MDW Not disinfected C:\1B.tmp[BndDrive.dll]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.systemdoctor.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[www.systemdoctor.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[systemdoctor.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.a.as-us.falkag.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.com.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[server.iad.liveperson.net/hc/34292599]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.metriweb.be/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.yadro.ru/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[ads.addynamix.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[bs.serving-sys.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[cs.sexcounter.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[www48.seeq.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Tom Leary IV\Desktop\ComboFix.exe[nircmd.exe]
Virus:Generic Malware Disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\SearchUpgrader\system.cfg
Virus:Generic Malware Disinfected C:\Program Files\COMPAQ\Netscape Custom NA XP\Plugins\npwthost.dll
Spyware:Spyware/New.net Not disinfected C:\Program Files\Gnutella Lite\nngluz564.exe
Adware:Adware/QuickSearch Not disinfected C:\Program Files\Gnutella Lite\TBGLZ127Q.exe
Virus:Generic Malware Disinfected C:\Program Files\Netscape\Netscape 6\Plugins\npwthost.dll
Virus:Trj/Downloader.ACG Disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104214346.zip[WINDOWS/system32/IEHost.EXE]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[WINDOWS/NDNuninstall5_64.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[WINDOWS/NDNuninstall6_38.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdot~1/newdotnet5_64.dll]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdot~1/newdotnet6_38.dll]
Adware:Adware/QuickSearch Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/quicksearch/QuickSearchBar1_27.dll]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdotnet/newdotnet5_64.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdotnet/newdotnet6_38.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdotnet/uninstall6_38.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdotnet/newdotnet5_64.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdotnet/newdotnet6_38.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdot~1/newdotnet5_64.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/newdot~1/newdotnet6_38.to_be_deleted]
Adware:Adware/QuickSearch Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041104233431.zip[Program Files/quicksearch/QuickSearchBar1_27.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041105100834.zip[Program Files/newdotnet/newdotnet5_64.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041105100834.zip[Program Files/newdotnet/newdotnet6_38.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041105100834.zip[Program Files/newdotnet/newdotnet5_64.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041105100834.zip[Program Files/newdotnet/newdotnet6_38.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041105100834.zip[Program Files/newdot~1/newdotnet5_64.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041105100834.zip[Program Files/newdot~1/newdotnet6_38.to_be_deleted]
Adware:Adware/QuickSearch Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041105100834.zip[Program Files/quicksearch/QuickSearchBar1_27.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106000635.zip[Program Files/newdotnet/newdotnet5_64.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106000635.zip[Program Files/newdotnet/newdotnet6_38.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106000635.zip[Program Files/newdotnet/newdotnet5_64.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106000635.zip[Program Files/newdotnet/newdotnet6_38.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106000635.zip[Program Files/newdot~1/newdotnet5_64.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106000635.zip[Program Files/newdot~1/newdotnet6_38.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106232529.zip[Program Files/newdotnet/newdotnet5_64.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106232529.zip[Program Files/newdotnet/newdotnet6_38.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106232529.zip[Program Files/newdotnet/newdotnet5_64.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106232529.zip[Program Files/newdotnet/newdotnet6_38.to_be_deleted_x]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106232529.zip[Program Files/newdot~1/newdotnet5_64.to_be_deleted]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041106232529.zip[Program Files/newdot~1/newdotnet6_38.to_be_deleted]
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C32.tmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1CF.tmp
Spyware:Spyware/ShopNav Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1EB.tmp
Adware:Adware/NavHelper Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1EC.tmp\NavHelper\v2.0.4a\NHelper.dll
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq203.tmp
Spyware:Cookie/Enhance Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq205.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20B.tmp
Adware:Adware/Gator Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21B.tmp\files\PdpSetup5105.ex_[C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21B.tmp\files\PdpSetup5105.exe]
Adware:Adware/Gator Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21B.tmp\GTR3A.tmp[C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21B.tmp\GTR3A.tme]
Adware:Adware/Gator Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21B.tmp\GTR3F.tmp[C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21B.tmp\GTR3F.tme]
Adware:Adware/KeenValue Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21C.tmp\Setup_PerfectNav.exe
Adware:Adware/PowerScan Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp
Spyware:Cookie/360i Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B6.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B8.tmp
Spyware:Cookie/Apmebf Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2BD.tmp
Spyware:Cookie/Atwola Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2BF.tmp
Spyware:Cookie/Azjmp Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C0.tmp
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C1.tmp
Spyware:Cookie/BurstBeacon Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C3.tmp
Spyware:Cookie/Hbmediapro Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2CD.tmp
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp
Adware:Adware/PowerScan Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E12.tmp
Adware:Adware/IEDriver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E32.tmp
Adware:Adware/IEDriver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E33.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E38.tmp
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E39.tmp
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E4.tmp
Spyware:Cookie/Rn11 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2EB.tmp
Spyware:Cookie/Winantivirus Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq303.tmp
Spyware:Cookie/Xiti Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq304.tmp
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp
Spyware:Cookie/Atwola Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp
Spyware:Cookie/Bfast Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp
Spyware:Cookie/Winantivirus Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C1D.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C1E.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89A9.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89AA.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89AB.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89AC.tmp
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89AD.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89AE.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89AF.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89B2.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89B3.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89B4.tmp
Spyware:Cookie/Peel Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89B5.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89B7.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89B8.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89B9.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89BA.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89BB.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89BC.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89BD.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89BE.tmp
Spyware:Cookie/SpyLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89BF.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89C0.tmp
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89C1.tmp
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89C2.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89C3.tmp
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89C5.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89C7.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89C8.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9EC.tmp
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9ED.tmp
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9EE.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9F0.tmp
Spyware:Cookie/Enhance Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9F1.tmp
Spyware:Cookie/OfferOptimizer Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9F6.tmp
Virus:Trj/Downloader.MDW Disinfected C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\Program Files\WNSXS~1\wuaclt.exe.vir
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\cjcfru.dll.vir
Virus:Generic Trojan Disinfected C:\QooBox\Quarantine\C\WINDOWS\WebAssist.dll.vir
Adware:Adware/IEDriver Not disinfected C:\Temp\My Documents\Data\all_files4.exe[setup233.exe]
Virus:Trj/Downloader.OE Not disinfected C:\Temp\My Documents\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\Temp\My Documents\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\Temp\My Documents\Data\all_files4.exe[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\Temp\My Documents\Data\all_files4.exe[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\Temp\My Documents\Data\all_files4.exe[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\Temp\My Documents\Data\all_files4.exe[install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected C:\Temp\My Documents\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\Temp\My Documents\Data\all_files4.exe[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\Temp\My Documents\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\Temp\My Documents\Data\all_files4.exe[apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected C:\Temp\My Documents\Data\all_files4.exe[SvcHost.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\proxya.exe
Adware:Adware/SideStep Not disinfected C:\WINDOWS\SbCIe0261.dll
Adware:Adware/IEDriver Not disinfected C:\WINDOWS\system32\adsldpc0.exe
Adware:Adware/IEDriver Not disinfected C:\WINDOWS\system32\avicap11.exe
Spyware:Spyware/ShopNav Not disinfected C:\WINDOWS\system32\file.zip[C:\WINDOWS\system32\file.zip]
Adware:Adware/IEDriver Not disinfected C:\WINDOWS\system32\unwise.exe
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe]
Virus:Trj/Downloader.OE Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[SvcHost.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe]
Virus:Trj/Downloader.OE Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[SvcHost.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe]
Virus:Trj/Downloader.OE Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][ezStub.exe]
Spyware:Spyware/Apropos Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][SvcHost.exe]
Adware:Adware/KeenValue Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/incredifind.exe]
Virus:Generic Trojan Disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/MemWatcher2.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe]
Virus:Trj/Downloader.OE Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][ezStub.exe]
Spyware:Spyware/Apropos Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][SvcHost.exe]
Adware:Adware/KeenValue Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/incredifind.exe]
Virus:Generic Trojan Disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/MemWatcher2.exe]

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:53 PM

Posted 08 August 2007 - 12:34 AM

Once more, open notepad and copy/paste the text in the quotebox into it

File::
c:\windows\inf\conscorr.inf
c:\windows\browserxtras\pn\remove.exe
C:\12A.tmp
C:\12C.tmp
C:\1A.tmp
C:\1B.tmp
C:\Program Files\Common Files\SearchUpgrader\system.cfg
C:\Program Files\Gnutella Lite\nngluz564.exe
C:\Program Files\Gnutella Lite\TBGLZ127Q.exe
C:\Program Files\Netscape\Netscape 6\Plugins\npwthost.dll
C:\Temp\My Documents\Data\all_files4.exe
C:\WINDOWS\proxya.exe
C:\WINDOWS\SbCIe0261.dll
C:\WINDOWS\system32\adsldpc0.exe
C:\WINDOWS\system32\avicap11.exe
C:\WINDOWS\system32\file.zip
C:\WINDOWS\system32\unwise.exe
c:\windows\system32\terrabyte.exe

Registry::
[-hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}]
[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM]


Save it as CFScript.txt on your desktop. (Again delete the earlier ones)

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

No need to post the new log. However, empty the following two folders (delete every file inside them, not the folders themselves):

C:\Program Files\Yahoo!\YPSR\Quarantine
C:\QooBox\Quarantine


Then please run another Panda Scan and post the new log from it.. And let me know hows the system running, still having issues? :thumbsup:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#11 comingdarkage

comingdarkage
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 08 August 2007 - 06:08 PM

Thanks again for all your help. The computer is running fine, but then again I never really had any performance issues. I just was cleaning spyware and noticed an inordinate amount of it. Then I noticed that my Virus DATS hadn't updated in a while, and.... well yikes it was a mess. But the popups are gone and most of the scans are coming back clean now. Here's the Panda Scan log. As an FYI, I shift-deleted the directory including the zip file that contained the viruses. I assume that Panda couldn't clean it because they were contained in a zip file. Anyway, here it is, and thanks again for all your help!


Incident Status Location

Adware:adware/keenvalue Not disinfected c:\program files\common files\SearchUpgrader
Spyware:spyware/shopnav Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/sbsoft Not disinfected Windows Registry
Adware:adware/iedriver Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.systemdoctor.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.a.as-us.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.com.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[server.iad.liveperson.net/hc/34292599]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Firefox\Profiles\zph2vn18.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.metriweb.be/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[.yadro.ru/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[ads.addynamix.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[bs.serving-sys.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[cs.sexcounter.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Tom Leary IV\Application Data\Mozilla\Profiles\default\1g7k3y1l.slt\cookies.txt[www48.seeq.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tom Leary IV\Cookies\tom leary iv@advertising[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tom Leary IV\Cookies\tom leary iv@mediaplex[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Tom Leary IV\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe]
Virus:Trj/Downloader.OE Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe[SvcHost.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe]
Virus:Trj/Downloader.OE Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\Data\all_files4.exe[SvcHost.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe]
Virus:Trj/Downloader.OE Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][ezStub.exe]
Spyware:Spyware/Apropos Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/all_files4.exe][SvcHost.exe]
Adware:Adware/KeenValue Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/incredifind.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe]
Virus:Trj/Downloader.OE Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][install_soundfil.exe]
Adware:Adware/BrowserAid Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][ezStub.exe]
Spyware:Spyware/Apropos Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][apropos_client_loader.exe]
Virus:Trj/Qhost.FM Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/all_files4.exe][SvcHost.exe]
Adware:Adware/KeenValue Not disinfected G:\archive\Temp stuff\Saved stuff.zip[Saved stuff/Data/Data/incredifind.exe]

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:53 PM

Posted 09 August 2007 - 03:20 AM

Delete this folder and these files:

c:\program files\common files\SearchUpgrader
G:\archive\Temp stuff\Saved stuff\Saved stuff\Data\all_files4.exe
G:\archive\Temp stuff\Saved stuff.zip


Empty recycle bin.

So.. Everything's running fine and scans come back clean? Looks like this case is pretty much done :thumbsup:
Hi there, stranger!

#13 comingdarkage

comingdarkage
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 09 August 2007 - 06:14 AM

I think it might be. Thanks again; this is an awesome place for the fight against malware. I'll be donating and referring anyone who has problems here. Thanks!

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:53 PM

Posted 09 August 2007 - 06:32 AM

You're welcome, I'm happy to help! :thumbsup:

First priority: Install Service Pack 2 by visiting Microsoft Update. After you have installed it, reboot, download & install ALL the available critical updates. Then some more preventive maintenance:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?
Hi there, stranger!

#15 comingdarkage

comingdarkage
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 09 August 2007 - 08:59 AM

Thanks again for this information. I have most of those programs, but some of them are new to me and will be downloaded. I have a question regarding the firewall though; the computers in my home are part of a network that includes a wireless/DSL router. I have turned the firewall on, and I'm pretty sure it monitors traffic both incoming and outgoing. Is this fine to use, or should I turn it off and download one of the software firewalls and install them on my computers?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users