Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT-Kevinap34


  • Please log in to reply
15 replies to this topic

#1 Kevinap34

Kevinap34

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 04 July 2005 - 03:04 AM

I recently recieved a virus by downloading what appeared to be a legitimate site for Codecs files.

Please do NOT download anything from this site.
The website is called http://www.vcodec.com/

I unfortunately downloaded from there. Soon afterwards my Avast anti-virus told me I got a trojan virus. Being a newbie I am I quarrentined 2 files that popped up. One that was a log file the other called shlong or something like that. After looking at the quarrentined files I decided to delete them to prevent any chances of spreading. (If this never happens, then I'm really showing my paranoia).

Suddenly I had my desktop hijacked (blue screen with text) and 2 shortcut icons (Online dating, and Remove Spyware). I was getting pop ups to adware removal sites (PSGuard) and online gambling links. I also noticed that there are crapload of links added to my favorites(only in IE) folder (I use Firefox). The desktop icons and the links all come from http://www.pageforyou.net/search.php?qq=(whatever topic).

Under advice from an online friend he gave me links to help me out. I followed this link http://www.trendmicro.com/spyware-scan/ and ran the scan, it found 25 different problems and fixed it. Yet I was still getting pop ups. So he gave me a link to this site. The page I followed is How_to_remove_the_Smitfraud_Quicknavigate_VirtualMaid and I began following the steps until I got to part where I run HijackThis in safe mode. I didn't see anything in my log that looked like what was shown on the site. So I've decided I'll post my log and see what you Smart and incredibly nice people can find whats my problem(s) are.

One thing I should point out, I have Spybot but I'm having problems with it as I can't seem to open the software in advance mode without it just going into autoscan. So there's no way to update the definitions. Anyone know how I can fix this problem as well It would be much appreciated. I've tried emailing Spybot my problem but they sent me what appears to be an automated response asking me for a log file which they tell me is attainable in the advance mode. :thumbsup:

Here's my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:40:52 AM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/qry/myhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/default.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcy/default...oo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\VOLUME\UNVISE32QT.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [UNVISE32QT.EXE] C:\WINDOWS\VOLUME\UNVISE32QT.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Messenger.lnk = C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094351173796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -service (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe (file missing)

Edited by Kevinap34, 04 July 2005 - 03:09 AM.


BC AdBot (Login to Remove)

 


m

#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:27 PM

Posted 04 July 2005 - 07:15 AM

Hello Kevin and welcome to Bleeping. :thumbsup:

Before we get started, can I ask you to repost your log only this time ensure you're running in normal mode NOT safe mode whils't generating it.

Click on 'Add Reply' at the bottom of this post when you're ready to repost the log.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#3 Kevinap34

Kevinap34
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 04 July 2005 - 11:22 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:19:23 AM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\intel32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/qry/myhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/default.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcy/default...oo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\VOLUME\UNVISE32QT.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [UNVISE32QT.EXE] C:\WINDOWS\VOLUME\UNVISE32QT.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Messenger.lnk = C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094351173796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -service (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe (file missing)

#4 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:27 PM

Posted 05 July 2005 - 04:09 AM

Step 1

Ensure you're familiar with rebooting into Safe Mode.

Download SmitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Download and install the trial version of Ewido Security Suite from here.
Read the instructions here before installing/configuring the program and then close it after updating the reference files.
Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions here.
Otherwise, check for updates and download any new reference files before closing the program. We'll use it in Safe Mode later.


Step 2

Next, please reboot your computer in Safe Mode - Very Important !!

Uninstall SpyKiller via Add/Remove Programs if an entry is present. The program is a waste of space.

Click on Start | Run and type sc delete MSLLR and hit 'Enter'.

You can also remove the Norton service which seems to be hanging around after uninstalling it sometime in the past.
Click on Start | Run and type sc delete navapsvc and hit 'Enter'.



Step 3

Run HJT again and checkmark the boxes next to the following:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O4 - HKLM\..\Run: [] C:\WINDOWS\VOLUME\UNVISE32QT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [UNVISE32QT.EXE] C:\WINDOWS\VOLUME\UNVISE32QT.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -service (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)

Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked


Step 4

Open the SmitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Step 5

Open Ad-aware and do a full system scan. Remove all it finds.


Step 6

Now open Ewido Security Suite:
- Click on Scanner
- Make sure the following boxes are checked before scanning:
-- Binder
-- Crypter
-- Archives
- Click on Start Scan
- Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

- Click Save report.
- Save the report to your desktop.

Warning: While the scan is in progress, do NOT open any folders or the Windows Control Panel !!


Step 7

Next go to your Control Panel and click Display | Desktop | Customise Desktop | Website
Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, and do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and Ewido Log in your next reply.
Let me know if any problems persist.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#5 Kevinap34

Kevinap34
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 05 July 2005 - 11:29 AM

Couple of things I wanna ask before i follow these steps. I Downloaded and installed the trial version of Ewido Security Suite, but it wouldn't update. According to the status message in the lower left corner it said "Connection couldn't be established"

EDIT: Its now saying "The update server is in the process of being updated. Please try again later!"

I also noticed you asked me to install Ad-Aware SE 1.06, I already have Spybot - Search & Destroy, but I need to fix it. A few months ago it didn't start up like it usually does so I went into advance mode not knowing what I was really doing I checked the box for it to scan upon start up. Ever since then I've never been able to open Spybot without it going directly into scanning. I've heard there's a way to fix the problem, a batch file or a different icon in the Spybot folder that will give me access to the advance mode so I can uncheck what I did.

I have nothing against Ad-Aware SE 1.06, but I don't want to install another Anti-Spyware software unless I really have to.

Edited by Kevinap34, 05 July 2005 - 11:44 AM.


#6 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:27 PM

Posted 05 July 2005 - 05:12 PM

Remove this line with HijackThis to stop Spybot scanning at startup:

O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore

- Then open Spybot and while in Advanced Mode, click on Settings from the left hand menu and then Settings again from the submenu beneath.
- Scroll down to the Program Start section and uncheck 'Run check on program start'.
- Under the System Start section, select 'No automation' and if necessary uncheck 'Run check on program start'.


Both Spybot and Ad-Aware are widely considered leaders in their fields and recommended by most to be ran in conjunction with each other. Both programs may sometimes find things the other hasn't so it's a good idea to have both. Anti-spyware programs aren't like Anti-Virus. You can quite happily run two along side each other to add an extra layer of defence to your system. Personally, I find Ad-Aware a little more configurable than Spybot so recommend you install and scan as instructed even if only for the duration of the fix. :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#7 Kevinap34

Kevinap34
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 July 2005 - 12:05 PM

I followed the directions to fix Spybot, that didn't work as it still goes into autoscan when I click on advance mode icon in the start menu. (in fact I had to look for the right program to run it and it still went into autoscan.)

Here's the Panda activescan log. I should point out my avast anti-virus alarmed me of possible virus (Kuang2) when I attempted to use Panda. I disabled Avast and ran Panda scan, which took at least 8 hours to scan my 110GB harddrive.


Incident Status Location

Virus:W32/Smitfraud.B Disinfected Operating system
Adware:Adware/CWS No disinfected C:\Documents and Settings\Owner\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Owner\Favorites\online dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Black Jack Online.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Online Dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Network Security.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Owner\Favorites\Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Owner\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Online Gambling.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Alprazolam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Carisoprodol.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Diazepam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Lortab.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Online Pharmacy.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Prozac.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Valium.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Vicodin.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Xanax.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Spam Filters.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Take It Here - Free Porn TGP.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Web Detective.url
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\uninstIU.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:01:44 AM, 7/6/2005
+ Report-Checksum: D21FA110

+ Scan result:

HKU\S-1-5-21-2353213275-2374396671-844555446-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKU\S-1-5-21-2353213275-2374396671-844555446-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKU\S-1-5-21-2353213275-2374396671-844555446-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-2353213275-2374396671-844555446-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.283:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.294:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.321:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.328:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.329:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.330:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.331:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.332:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.336:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.338:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.339:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.340:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.342:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.343:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.344:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.345:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.346:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.347:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.350:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.351:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.353:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.354:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.355:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.392:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.393:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.399:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.400:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.412:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.413:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.414:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.415:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.416:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.417:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.418:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.419:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.420:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.490:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.491:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.510:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.511:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.512:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.514:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.515:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.516:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.517:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.518:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.521:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.538:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.539:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.540:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.541:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.542:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.575:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.608:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.632:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.684:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.701:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.702:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.721:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.722:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.723:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.729:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.730:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.747:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.748:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.785:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.786:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.787:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.788:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.789:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.821:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.828:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.829:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.907:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.927:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.928:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
:mozilla.948:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.7bt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-42aa640a-2b7f1a37.class -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Hijackthis\backups\backup-20050706-001735-386.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Hewlett-Packard\Memories Disc\hpodlog.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\RECYCLER\S-1-5-21-2353213275-2374396671-844555446-500\Dc2\jenna_piporama\jenna_piporama.exe -> Dialer.Generic : Cleaned with backup
C:\RECYCLER\S-1-5-21-2353213275-2374396671-844555446-500\Dc2\LapipedeBritney.avi\LapipedeBritney.avi.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\intel32.exe -> Trojan.Agent.ff : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End


Here's the last ewido scan


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:41:07 AM, 7/6/2005
+ Report-Checksum: E76B45BA

+ Scan result:

No infected objects found.


::Report End


Here's HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:03:59 AM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/qry/myhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/default.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcy/default...oo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\VOLUME\UNVISE32QT.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [UNVISE32QT.EXE] C:\WINDOWS\VOLUME\UNVISE32QT.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Messenger.lnk = C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094351173796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe (file missing)


Here's the lastest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:54:03 AM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe

#8 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:27 PM

Posted 06 July 2005 - 02:02 PM

Uninstall and then reinstall Spybot.

Your last post is incomplete. Can you post the last log again please.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#9 Kevinap34

Kevinap34
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 July 2005 - 02:30 PM

I unistalled and reinstalled Spybot and then clicked the advance mode icon and it went into autoscan, No change.
EDIT: I fixed the problem, I made a mistake of reinstalling an older version of Spybot. which had history of autoscan problems. Anyway I've since reinstalled the newest version of Spybot. I'm now able to go into advance mode.

Here's the rest of the log

Logfile of HijackThis v1.99.1
Scan saved at 10:54:03 AM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/qry/myhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/default.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcy/default...oo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Messenger.lnk = C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094351173796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe (file missing)

Edited by Kevinap34, 06 July 2005 - 03:18 PM.


#10 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:27 PM

Posted 10 July 2005 - 04:09 PM

Sorry for the delay in responding. Mini crisis averted.

You HJT log is clean so a little clearing up should see you on your way. :thumbsup:

Go to C:\Documents and Settings\Owner\Favorites\ and delete all the bad url's listed by Panda.


Then clean out your Sun Java cache:

Click Start | Control Panel.
Open the "Java Plug-in Control Panel" and select the Cache Tab.
Click the Clear button inside the Cache Tab, to clear your JRE cache directory.

Finally, find and delete this file (if found) and then run a final AV scan at Kasperskey Online.

C:\WINDOWS\uninstIU.exe

Let me know how you get on. :flowers:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#11 Kevinap34

Kevinap34
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 11 July 2005 - 02:14 AM

John I couldn't help but to notice you're from Liverpool, UK according to your profile. Sorry to hear about the attacks in London, I hope you didn't lose anyone close to you.

I couldn't find the Cache tab in the Java Control Panel, and what file did you want me to delete? was it uninstIU.exe ?

#12 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:27 PM

Posted 11 July 2005 - 03:21 PM

Luckily my family live a long way away. :thumbsup:

Sorry, my Java instructions were out of date.

Click Start | Control Panel.
Double-click the "Java Control Panel" icon.
On the 'General' tab under the 'Temporary Internet Files section', click Delete Files.
Click Apply and then OK.

And then yes, delete that file (if found):

C:\WINDOWS\uninstIU.exe

Have you run the Kasperskey scan yet?
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#13 Kevinap34

Kevinap34
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 11 July 2005 - 11:28 PM

I deleted the Temporary Internet Files within the Java control panel without a problem.

I couldn't find C:\WINDOWS\uninstIU.exe

I ran the Kaspersky scan and during the process my Avast anti-virus software detected the same viruses as trojans that Kaspersky listed. I had to quarrentine the files so it could finish the scan. Here's the results:

Monday, July 11, 2005 22:53:29
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 12/07/2005
Kaspersky Anti-Virus database records: 130126
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 127426
Number of viruses found 4
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 10901 sec

Infected Object Name Virus Name
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP142\A0014154.exe Infected: Trojan-Downloader.Win32.Zlob.t
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP142\A0015368.exe Infected: Trojan.Win32.Dialer.eg
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP142\A0015369.exe Infected: Trojan.Win32.Dialer.eg
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP157\A0015811.exe Infected: Trojan.Win32.Agent.ff
C:\WINDOWS\system32\wininet.dll Infected: Virus.Win32.Nsag.a
Scan process completed.

#14 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:27 PM

Posted 12 July 2005 - 02:52 AM

If you couldn't find uninstIU.exe, it looks like Panda removed it. :thumbsup:

The first four KAV detected are infected restore points so we'll purge System Restore to remove those (see below).

If the fifth is quarantined I'd say you're good to go.

Now that you're clean again, please follow these simple steps to keep yourself safe and secure in the future.


Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and renable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and renable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from the tutorial above.



Clean out ALL Temp Files

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1: Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the 'Delete Files' button and put a checkmark in 'Delete Offline Content'. Then press the OK button. This may take quite a while, so don't be alarmed if it takes a while.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Safe Surfing

HJM :flowers:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#15 Kevinap34

Kevinap34
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 12 July 2005 - 04:07 PM

John,
Everything seems to be working smoothly, Thanks alot for all your help.

Is there anything that can be done about shutting that site down that gave me the virus? Is there any legal action that can be taken against the creators of that site? Personally I find the notion of malware criminalistic and should be considered the cruelest form of trespassing on private property or kidnapping (stealing) a computer from a user.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users