Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Removing Winfixer


  • This topic is locked This topic is locked
11 replies to this topic

#1 vnzjunk

vnzjunk

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 October 2005 - 02:29 PM

Hello

This is my first try on this forum.

I somehow picked up the winfixer trojan and wonder if someone would like to help me get rid of it?

Thanks.........vnzjunk

BC AdBot (Login to Remove)

 


#2 vnzjunk

vnzjunk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 October 2005 - 02:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:45:22 PM, on 10/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\DeskPro\Desktop\spybotFIXES\HijackThis\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshkmsr.dll
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\System32\italqjzn.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\vtutu.dll
O2 - BHO: (no name) - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [suneqxr] C:\WINDOWS\suneqxr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03ce14f2ee7175...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120406709202
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...ag/imloader.cab
O20 - Winlogon Notify: vtutu - C:\WINDOWS\System32\vtutu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qzdsvml.exe (file missing)

#3 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 22 October 2005 - 03:22 AM

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

#4 vnzjunk

vnzjunk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 22 October 2005 - 10:35 AM

sUBs

Thanks for taking on my problem. I did the scan as you requested. Below is my spysweeper log as well as the new hjk log. I will look for your response.

Thanks vnzjunk

********
10:38 AM: | Start of Session, Saturday, October 22, 2005 |
10:38 AM: Spy Sweeper started
10:38 AM: Sweep initiated using definitions version 560
10:38 AM: Starting Memory Sweep
10:39 AM: Found Adware: safesurf
10:39 AM: Detected running threat: C:\WINDOWS\System32\pkshkmsr.dll (ID = 138109)
10:39 AM: Found Trojan Horse: trojan downloader pops-stop
10:39 AM: Detected running threat: C:\WINDOWS\System32\italqjzn.dll (ID = 156497)
10:46 AM: Detected running threat: C:\Windows\SYSTEM32\netlanm.dll (ID = 138227)
10:46 AM: Detected running threat: C:\Windows\SYSTEM32\pdrpdb.dll (ID = 156482)
10:47 AM: Memory Sweep Complete, Elapsed Time: 00:08:24
10:47 AM: Starting Registry Sweep
10:47 AM: Found Adware: begin2search
10:47 AM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
10:47 AM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
10:47 AM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
10:47 AM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
10:47 AM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
10:47 AM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
10:47 AM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
10:47 AM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
10:47 AM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
10:47 AM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
10:47 AM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
10:47 AM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
10:47 AM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
10:47 AM: Found Adware: hotsearchbar toolbar
10:47 AM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
10:47 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (ID = 104211)
10:47 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (ID = 104211)
10:47 AM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
10:47 AM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
10:47 AM: Found Adware: visfx
10:47 AM: HKLM\system\currentcontrolset\services\windows overlay components\ (12 subtraces) (ID = 712954)
10:47 AM: HKCR\funtools.picshow\ (5 subtraces) (ID = 730902)
10:47 AM: HKCR\funtools.picshow.1\ (3 subtraces) (ID = 730908)
10:47 AM: HKCR\clsid\{4487598c-2ec7-43a2-870e-6d8d720fdd9f}\ (11 subtraces) (ID = 730912)
10:47 AM: HKCR\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730924)
10:47 AM: HKLM\software\classes\funtools.picshow\ (5 subtraces) (ID = 730957)
10:47 AM: HKLM\software\classes\funtools.picshow.1\ (3 subtraces) (ID = 730963)
10:47 AM: HKLM\software\classes\clsid\{4487598c-2ec7-43a2-870e-6d8d720fdd9f}\ (11 subtraces) (ID = 730967)
10:47 AM: HKLM\software\classes\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730979)
10:47 AM: HKLM\software\picshow\ (51 subtraces) (ID = 730989)
10:47 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{4487598c-2ec7-43a2-870e-6d8d720fdd9f}\ (ID = 730994)
10:47 AM: HKCR\var8.talmgr\ (5 subtraces) (ID = 820332)
10:47 AM: HKCR\var8.talmgr.1\ (3 subtraces) (ID = 820338)
10:47 AM: HKCR\clsid\{70230839-555c-4862-8d42-bb1e2352502c}\ (11 subtraces) (ID = 820354)
10:47 AM: Found Adware: cas
10:47 AM: HKCR\clsid\{724d478a-2bd0-4db4-ae42-288b1e346ef7}\ (4 subtraces) (ID = 820366)
10:47 AM: HKCR\typelib\{1b8b502e-465b-4022-be4f-fb6d9f808a18}\ (9 subtraces) (ID = 820387)
10:47 AM: HKCR\typelib\{65d99893-a650-4292-83d0-3aff6f39e0b5}\ (9 subtraces) (ID = 820397)
10:47 AM: HKLM\software\italmanager\ (43 subtraces) (ID = 820452)
10:47 AM: HKLM\software\classes\var8.talmgr\ (5 subtraces) (ID = 820485)
10:47 AM: HKLM\software\classes\var8.talmgr.1\ (3 subtraces) (ID = 820491)
10:47 AM: HKLM\software\classes\clsid\{70230839-555c-4862-8d42-bb1e2352502c}\ (11 subtraces) (ID = 820507)
10:47 AM: HKLM\software\classes\clsid\{724d478a-2bd0-4db4-ae42-288b1e346ef7}\ (4 subtraces) (ID = 820519)
10:47 AM: HKLM\software\classes\typelib\{1b8b502e-465b-4022-be4f-fb6d9f808a18}\ (9 subtraces) (ID = 820540)
10:47 AM: HKLM\software\classes\typelib\{65d99893-a650-4292-83d0-3aff6f39e0b5}\ (9 subtraces) (ID = 820550)
10:47 AM: HKLM\software\microsoft\windows\currentversion\uninstall\italmgr\ (2 subtraces) (ID = 820572)
10:47 AM: HKLM\system\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ichckupd.exe\ (1 subtraces) (ID = 820614)
10:47 AM: Found Adware: ezula ilookup
10:47 AM: HKLM\software\microsoft\webext\ (24 subtraces) (ID = 828947)
10:47 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{70230839-555c-4862-8d42-bb1e2352502c}\ (ID = 831459)
10:47 AM: HKLM\software\microsoft\windows\currentversion\app paths\italm\ (2 subtraces) (ID = 831468)
10:47 AM: HKLM\software\microsoft\windows\currentversion\app paths\ichckupd\ (2 subtraces) (ID = 831816)
10:48 AM: Found Adware: drsnsrch.com hijack
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\microsoft\internet explorer\main\ || search page (ID = 128207)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\microsoft\internet explorer\searchurl\ (ID = 128212)
10:48 AM: Found Adware: starware toolbar
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\starware\ (12 subtraces) (ID = 142866)
10:48 AM: Found Adware: directrevenue-abetterinternet
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\aurora\ (28 subtraces) (ID = 360174)
10:48 AM: Found Adware: drsnsrch hijacker
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\dsrch\ (7 subtraces) (ID = 509156)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\microsoft\windows\currentversion\run\ || pshower (ID = 730935)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\cmsystem\ (8 subtraces) (ID = 820421)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\microsoft\windows\currentversion\run\ || cmsystem (ID = 820436)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\software\microsoft\windows\currentversion\run\ || fcengine (ID = 820437)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\internet explorer\main\ || search page (ID = 128207)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\internet explorer\searchurl\ (ID = 128212)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\starware\ (12 subtraces) (ID = 142866)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\aurora\ (27 subtraces) (ID = 360174)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\dsrch\ (7 subtraces) (ID = 509156)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\windows\currentversion\run\ || pshower (ID = 730935)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\cmsystem\ (9 subtraces) (ID = 820421)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\windows\currentversion\run\ || cmsystem (ID = 820436)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\software\microsoft\windows\currentversion\run\ || fcengine (ID = 820437)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\microsoft\internet explorer\main\ || search page (ID = 128207)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\microsoft\internet explorer\searchurl\ (ID = 128212)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\starware\ (12 subtraces) (ID = 142866)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\aurora\ (29 subtraces) (ID = 360174)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\dsrch\ (11 subtraces) (ID = 509156)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\software\microsoft\windows\currentversion\run\ || pshower (ID = 730935)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\software\cmapp\ (2 subtraces) (ID = 381792)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\software\cmapp\client\ || registered (ID = 724012)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\software\microsoft\windows\currentversion\run\ || wincmap (ID = 766766)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\software\cmsystem\ (9 subtraces) (ID = 820421)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\software\microsoft\windows\currentversion\run\ || ichckupd (ID = 820435)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\software\microsoft\windows\currentversion\run\ || cmsystem (ID = 820436)
10:48 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\software\microsoft\windows\currentversion\run\ || fcengine (ID = 820437)
10:48 AM: Registry Sweep Complete, Elapsed Time:00:01:39
10:49 AM: Starting Cookie Sweep
10:49 AM: Found Spy Cookie: atwola cookie
10:49 AM: guest@atwola[1].txt (ID = 2255)
10:49 AM: Found Spy Cookie: btgrab cookie
10:49 AM: guest@btg.btgrab[2].txt (ID = 2333)
10:49 AM: Found Spy Cookie: a cookie
10:49 AM: guest@a[2].txt (ID = 2027)
10:49 AM: Found Spy Cookie: cliks cookie
10:49 AM: guest@cliks[2].txt (ID = 2414)
10:49 AM: Found Spy Cookie: cc214142 cookie
10:49 AM: guest@ads.cc214142[1].txt (ID = 2367)
10:49 AM: Found Spy Cookie: 888 cookie
10:49 AM: guest@888[2].txt (ID = 2019)
10:49 AM: Found Spy Cookie: abetterinternet cookie
10:49 AM: guest@abetterinternet[2].txt (ID = 2035)
10:49 AM: Found Spy Cookie: offeroptimizer cookie
10:49 AM: guest@offeroptimizer[2].txt (ID = 3087)
10:49 AM: Found Spy Cookie: reliablestats cookie
10:49 AM: guest@stats1.reliablestats[2].txt (ID = 3254)
10:49 AM: Found Spy Cookie: dealtime cookie
10:49 AM: guest@dealtime[1].txt (ID = 2505)
10:49 AM: guest@stat.dealtime[1].txt (ID = 2506)
10:49 AM: Found Spy Cookie: specificclick.com cookie
10:49 AM: guest@adopt.specificclick[1].txt (ID = 3400)
10:49 AM: Found Spy Cookie: 80503492 cookie
10:49 AM: heather_2@80503492[1].txt (ID = 2013)
10:49 AM: heather_2@a[2].txt (ID = 2027)
10:49 AM: heather_2@btg.btgrab[2].txt (ID = 2333)
10:49 AM: Found Spy Cookie: belnk cookie
10:49 AM: heather_2@belnk[1].txt (ID = 2292)
10:49 AM: Found Spy Cookie: starware.com cookie
10:49 AM: heather_2@h.starware[1].txt (ID = 3442)
10:49 AM: heather_2@cliks[2].txt (ID = 2414)
10:49 AM: heather_2@www.starware[1].txt (ID = 3442)
10:49 AM: heather_2@888[1].txt (ID = 2019)
10:49 AM: heather_2@atwola[1].txt (ID = 2255)
10:49 AM: heather_2@offeroptimizer[2].txt (ID = 3087)
10:49 AM: heather_2@dist.belnk[2].txt (ID = 2293)
10:49 AM: Found Spy Cookie: coolsavings cookie
10:49 AM: heather_2@coolsavings[1].txt (ID = 2465)
10:49 AM: Found Spy Cookie: rn11 cookie
10:49 AM: heather_2@rn11[2].txt (ID = 3261)
10:49 AM: heather_2@ads.cc214142[1].txt (ID = 2367)
10:49 AM: Found Spy Cookie: go.com cookie
10:49 AM: heather_2@abclocal.go[1].txt (ID = 2729)
10:49 AM: heather_2@go[1].txt (ID = 2728)
10:49 AM: heather_2@abetterinternet[2].txt (ID = 2035)
10:49 AM: Found Spy Cookie: nextag cookie
10:49 AM: heather_2@nextag[2].txt (ID = 5014)
10:49 AM: Found Spy Cookie: winantiviruspro cookie
10:49 AM: heather_2@www.winantiviruspro[2].txt (ID = 3690)
10:49 AM: heather_2@stats1.reliablestats[2].txt (ID = 3254)
10:49 AM: heather@nextag[2].txt (ID = 5014)
10:49 AM: heather@atwola[1].txt (ID = 2255)
10:49 AM: Found Spy Cookie: passion cookie
10:49 AM: heather@passion[1].txt (ID = 3113)
10:49 AM: heather@dist.belnk[2].txt (ID = 2293)
10:49 AM: heather@btg.btgrab[2].txt (ID = 2333)
10:49 AM: Found Spy Cookie: screensavers.com cookie
10:49 AM: heather@www.screensavers[1].txt (ID = 3298)
10:49 AM: Found Spy Cookie: ask cookie
10:49 AM: heather@ask[1].txt (ID = 2245)
10:49 AM: heather@cliks[1].txt (ID = 2414)
10:49 AM: heather@offeroptimizer[1].txt (ID = 3087)
10:49 AM: heather@i.screensavers[1].txt (ID = 3298)
10:49 AM: heather@belnk[1].txt (ID = 2292)
10:49 AM: heather@a[2].txt (ID = 2027)
10:49 AM: Found Spy Cookie: about cookie
10:49 AM: heather@about[1].txt (ID = 2037)
10:49 AM: heather@adopt.specificclick[1].txt (ID = 3400)
10:49 AM: heather@abetterinternet[2].txt (ID = 2035)
10:49 AM: Found Spy Cookie: reunion cookie
10:49 AM: heather@reunion[2].txt (ID = 3255)
10:49 AM: Found Spy Cookie: webtrendslive cookie
10:49 AM: heather@dcs8ir0f010000oyioyaka1kl_8j7n[2].txt (ID = 3673)
10:49 AM: Found Spy Cookie: 64.62.232 cookie
10:49 AM: heather@64.62.232[2].txt (ID = 1987)
10:49 AM: Found Spy Cookie: hbmediapro cookie
10:49 AM: heather@adopt.hbmediapro[2].txt (ID = 2768)
10:49 AM: Found Spy Cookie: banner cookie
10:49 AM: heather@banner[2].txt (ID = 2276)
10:49 AM: heather@go[2].txt (ID = 2728)
10:49 AM: heather@movies.about[2].txt (ID = 2038)
10:49 AM: heather@pregnancy.about[1].txt (ID = 2038)
10:49 AM: heather@pediatrics.about[2].txt (ID = 2038)
10:49 AM: Found Spy Cookie: burstbeacon cookie
10:49 AM: heather@www.burstbeacon[1].txt (ID = 2335)
10:49 AM: heather@888[2].txt (ID = 2019)
10:49 AM: Found Spy Cookie: burstnet cookie
10:49 AM: heather@burstnet[2].txt (ID = 2336)
10:49 AM: heather@abclocal.go[1].txt (ID = 2729)
10:49 AM: heather@www.winantiviruspro[2].txt (ID = 3690)
10:49 AM: Found Spy Cookie: enhance cookie
10:49 AM: heather@c.enhance[1].txt (ID = 2614)
10:49 AM: heather@stats1.reliablestats[2].txt (ID = 3254)
10:49 AM: heather@ads.cc214142[2].txt (ID = 2367)
10:49 AM: Found Spy Cookie: yieldmanager cookie
10:49 AM: heather@ad.yieldmanager[1].txt (ID = 3751)
10:49 AM: Found Spy Cookie: webservicehosts cookie
10:49 AM: heather@dr.webservicehosts[2].txt (ID = 3663)
10:49 AM: darla@c.enhance[1].txt (ID = 2614)
10:49 AM: darla@go[1].txt (ID = 2728)
10:49 AM: darla@ads.cc214142[2].txt (ID = 2367)
10:49 AM: darla@nextag[1].txt (ID = 5014)
10:49 AM: darla@passion[2].txt (ID = 3113)
10:49 AM: Found Spy Cookie: stamps.com cookie
10:49 AM: darla@stamps[2].txt (ID = 3437)
10:49 AM: Found Spy Cookie: myaffiliateprogram.com cookie
10:49 AM: darla@www.myaffiliateprogram[1].txt (ID = 3032)
10:49 AM: Found Spy Cookie: upspiral cookie
10:49 AM: darla@www.upspiral[1].txt (ID = 3615)
10:49 AM: Found Spy Cookie: pointroll cookie
10:49 AM: darla@ads.pointroll[1].txt (ID = 3148)
10:49 AM: Found Spy Cookie: 2o7.net cookie
10:49 AM: darla@amsterdamprinting.122.2o7[1].txt (ID = 1958)
10:49 AM: Found Spy Cookie: zedo cookie
10:49 AM: darla@zedo[1].txt (ID = 3762)
10:49 AM: Found Spy Cookie: mygeek cookie
10:49 AM: darla@mygeek[2].txt (ID = 3041)
10:49 AM: darla@2o7[1].txt (ID = 1957)
10:49 AM: Found Spy Cookie: search123 cookie
10:49 AM: darla@search123[1].txt (ID = 3305)
10:49 AM: darla@photo.stamps[2].txt (ID = 3438)
10:49 AM: Found Spy Cookie: videodome cookie
10:49 AM: darla@videodome[1].txt (ID = 3638)
10:49 AM: darla@dcs8ir0f010000oyioyaka1kl_8j7n[1].txt (ID = 3673)
10:49 AM: Found Spy Cookie: infospace cookie
10:49 AM: darla@infospace[2].txt (ID = 2865)
10:49 AM: Found Spy Cookie: tradedoubler cookie
10:49 AM: darla@tradedoubler[1].txt (ID = 3575)
10:49 AM: Found Spy Cookie: servedby advertising cookie
10:49 AM: darla@servedby.advertising[2].txt (ID = 3335)
10:49 AM: Found Spy Cookie: trafficmp cookie
10:49 AM: darla@trafficmp[2].txt (ID = 3581)
10:49 AM: Found Spy Cookie: atlas dmt cookie
10:49 AM: darla@atdmt[2].txt (ID = 2253)
10:49 AM: Found Spy Cookie: seeq cookie
10:49 AM: darla@www.seeq[1].txt (ID = 3332)
10:49 AM: darla@888[2].txt (ID = 2019)
10:49 AM: Found Spy Cookie: linksynergy cookie
10:49 AM: darla@linksynergy[2].txt (ID = 2926)
10:49 AM: darla@clubmom.122.2o7[2].txt (ID = 1958)
10:49 AM: darla@adopt.hbmediapro[2].txt (ID = 2768)
10:49 AM: Found Spy Cookie: adserver cookie
10:49 AM: darla@z1.adserver[1].txt (ID = 2142)
10:49 AM: Found Spy Cookie: epilot cookie
10:49 AM: darla@www.epilot[1].txt (ID = 2622)
10:49 AM: Found Spy Cookie: server.iad.liveperson cookie
10:49 AM: darla@server.iad.liveperson[2].txt (ID = 3341)
10:49 AM: Found Spy Cookie: did-it cookie
10:49 AM: darla@did-it[1].txt (ID = 2523)
10:49 AM: Found Spy Cookie: goclick cookie
10:49 AM: darla@c.goclick[2].txt (ID = 2733)
10:49 AM: darla@atwola[1].txt (ID = 2255)
10:49 AM: Found Spy Cookie: redzip cookie
10:49 AM: darla@www.redzip[1].txt (ID = 3250)
10:49 AM: darla@stats1.reliablestats[2].txt (ID = 3254)
10:49 AM: Found Spy Cookie: directtrack cookie
10:49 AM: darla@directtrack[1].txt (ID = 2527)
10:49 AM: Found Spy Cookie: rednova cookie
10:49 AM: darla@rednova[1].txt (ID = 3245)
10:49 AM: darla@yieldmanager[1].txt (ID = 3749)
10:49 AM: darla@statse.webtrendslive[1].txt (ID = 3667)
10:49 AM: darla@www.reunion[1].txt (ID = 3256)
10:49 AM: darla@ad.reunion[1].txt (ID = 3256)
10:49 AM: darla@888[3].txt (ID = 2019)
10:49 AM: Found Spy Cookie: tribalfusion cookie
10:49 AM: darla@tribalfusion[1].txt (ID = 3589)
10:49 AM: Found Spy Cookie: servlet cookie
10:49 AM: darla@servlet[2].txt (ID = 3345)
10:49 AM: Found Spy Cookie: searchadnetwork cookie
10:49 AM: darla@www.searchadnetwork[1].txt (ID = 3312)
10:49 AM: darla@www.rednova[1].txt (ID = 3246)
10:49 AM: Found Spy Cookie: questionmarket cookie
10:49 AM: darla@questionmarket[2].txt (ID = 3217)
10:49 AM: Found Spy Cookie: realmedia cookie
10:49 AM: darla@realmedia[1].txt (ID = 3235)
10:49 AM: darla@reunion[1].txt (ID = 3255)
10:49 AM: darla@searchadnetwork[2].txt (ID = 3311)
10:49 AM: darla@www48.seeq[1].txt (ID = 3332)
10:49 AM: Found Spy Cookie: coremetrics cookie
10:49 AM: darla@data.coremetrics[1].txt (ID = 2472)
10:49 AM: Found Spy Cookie: advertising cookie
10:49 AM: darla@advertising[2].txt (ID = 2175)
10:49 AM: Found Spy Cookie: cassava cookie
10:49 AM: darla@cassava[1].txt (ID = 2362)
10:49 AM: Found Spy Cookie: adprofile cookie
10:49 AM: darla@adprofile[1].txt (ID = 2084)
10:49 AM: Found Spy Cookie: touchclarity cookie
10:49 AM: darla@intercasino.touchclarity[1].txt (ID = 3566)
10:49 AM: Found Spy Cookie: adjuggler cookie
10:49 AM: darla@rotator.adjuggler[1].txt (ID = 2071)
10:49 AM: darla@ask[1].txt (ID = 2245)
10:49 AM: Found Spy Cookie: kmpads cookie
10:49 AM: darla@kmpads[2].txt (ID = 2909)
10:49 AM: Found Spy Cookie: metareward.com cookie
10:49 AM: darla@metareward[2].txt (ID = 2990)
10:49 AM: Found Spy Cookie: askmen cookie
10:49 AM: darla@askmen[1].txt (ID = 2247)
10:49 AM: darla@gozing.directtrack[2].txt (ID = 2528)
10:49 AM: darla@dr.webservicehosts[1].txt (ID = 3663)
10:49 AM: anyuser@atwola[1].txt (ID = 2255)
10:49 AM: deskpro@stats1.reliablestats[1].txt (ID = 3254)
10:49 AM: deskpro@atdmt[2].txt (ID = 2253)
10:49 AM: deskpro@trafficmp[1].txt (ID = 3581)
10:49 AM: deskpro@data.coremetrics[1].txt (ID = 2472)
10:49 AM: deskpro@microsofteup.112.2o7[1].txt (ID = 1958)
10:49 AM: deskpro@rsi.abcnews.go[1].txt (ID = 2729)
10:49 AM: deskpro@abcnews.go[1].txt (ID = 2729)
10:49 AM: deskpro@go[2].txt (ID = 2728)
10:49 AM: deskpro@c1.zedo[1].txt (ID = 3763)
10:49 AM: deskpro@zedo[1].txt (ID = 3762)
10:49 AM: deskpro@servedby.advertising[2].txt (ID = 3335)
10:49 AM: deskpro@advertising[2].txt (ID = 2175)
10:49 AM: Cookie Sweep Complete, Elapsed Time: 00:00:16
10:49 AM: Starting File Sweep
10:49 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
10:49 AM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
10:49 AM: Found Trojan Horse: trojan-downloader-mainstreamdollars
10:49 AM: 1.exe (ID = 144062)
10:51 AM: Warning: Failed to open file "c:\windows\softwaredistribution\eventcache\{3870f637-8415-46fe-9231-710c8ba4c197}.bin". The process cannot access the file because it is being used by another process
10:52 AM: pdrpdb.dll (ID = 156482)
10:53 AM: italqjzn.dll (ID = 156497)
10:53 AM: ichckupd.exe (ID = 156483)
10:53 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Run || ichckupd (ID = 0)
10:53 AM: nahbluff.exe (ID = 154779)
10:53 AM: pinkkas2123.ico (ID = 51041)
10:53 AM: Found Adware: surfsidekick
10:53 AM: ssk3_b5.exe (ID = 162654)
10:53 AM: bho.dll (ID = 167068)
10:54 AM: Found Trojan Horse: hackerdefender
10:54 AM: mainsafe.empty.ini (ID = 166338)
10:54 AM: nsca7.dll (ID = 51054)
10:54 AM: installerv5.exe (ID = 162519)
10:54 AM: netlanm.dll (ID = 138227)
10:54 AM: pkshkmsr.dll (ID = 138109)
10:54 AM: pshwr.exe (ID = 138228)
10:54 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-501\Software\Microsoft\Windows\CurrentVersion\Run || pshower (ID = 0)
10:54 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1006\Software\Microsoft\Windows\CurrentVersion\Run || pshower (ID = 0)
10:54 AM: HKU\WRSS_Profile_S-1-5-21-507921405-842925246-1801674531-1005\Software\Microsoft\Windows\CurrentVersion\Run || pshower (ID = 0)
10:54 AM: norisuni.exe (ID = 138284)
10:54 AM: Found Adware: shopathomeselect
10:54 AM: 2irv9tl3.dat (ID = 121494)
10:54 AM: bingo_big3123.ico (ID = 51022)
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
10:54 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\storydb.idx". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\chandir.idx". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\d0000000.fcs". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\l0000013.fcs". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\chandir.dat". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\storydb.dat". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\chn.dat". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\chn.idx". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs_die.dat". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs_die.idx". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs_dnd.dat". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs_dnd.idx". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs_ext.dat". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs_ext.idx". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs_rcv.dat". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs_rcv.idx". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs.dat". The process cannot access the file because it is being used by another process
11:04 AM: Warning: Failed to open file "c:\program files\kodak\kodak software updater\7288971\users\default\data\prs.idx". The process cannot access the file because it is being used by another process
11:04 AM: c:\program files\cmsystem (6 subtraces) (ID = -2147471610)
11:04 AM: plugin.dll (ID = 154758)
11:04 AM: cmsystem.exe (ID = 154757)
11:04 AM: sf.txt (ID = 110126)
11:04 AM: rf.txt (ID = 110125)
11:05 AM: c:\program files\wincmapp (2 subtraces) (ID = -2147472758)
11:05 AM: ppq7c9.tmp (ID = 166574)
11:05 AM: wincmapp.exe (ID = 145823)
11:05 AM: c:\program files\fcengine (4 subtraces) (ID = -2147471607)
11:05 AM: plugin.dll (ID = 154761)
11:05 AM: fcengine.exe (ID = 154760)
11:05 AM: Warning: Failed to open file "c:\documents and settings\deskpro\ntuser.dat". The process cannot access the file because it is being used by another process
11:05 AM: Warning: Failed to open file "c:\documents and settings\deskpro\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:05 AM: Warning: Failed to open file "c:\documents and settings\deskpro\local settings\temp\me_iwtexofcd1a8kcv". The process cannot access the file because it is being used by another process
11:05 AM: Warning: Failed to open file "c:\documents and settings\deskpro\local settings\temp\me_g3js6swv954fdpz". The process cannot access the file because it is being used by another process
11:05 AM: Warning: Failed to open file "c:\documents and settings\deskpro\local settings\temp\me_5jibocbgntnv9k2". The process cannot access the file because it is being used by another process
11:05 AM: Warning: Failed to open file "c:\documents and settings\deskpro\local settings\temp\me_fd3wpxlyyejnggl". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\deskpro\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\deskpro\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs742e27b4-7d46-450f-8de0-07cbb358ef52.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb1075ed8-243f-49f5-a04b-a65e45910c1e.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8e3ec3b2-331a-4a47-81b2-592297aafac7.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse611fd59-b631-439b-9e21-c095dd14226f.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5d701a38-e0f8-4c53-a8dd-1b8fd2037f1d.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs70cfeed7-4ca6-4e7d-a7f2-e69bebbaa65a.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd982dbc7-fe1d-4e31-bca7-0120cc1d7caa.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs54faa4aa-178d-4d3d-9ab2-379541e4458e.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa352e67b-84df-4171-a1ea-013db215268e.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse9b6a7ff-7fb0-40fc-b495-b77cf8b3d7e4.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa61f309f-d847-4744-b6c0-7909826598c9.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs17892923-ade5-46fd-9e20-bd9d7093b6a7.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1cb5a2bd-33f5-4421-8ff4-e04d3d28e65e.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse7fa56a0-72f7-449e-a841-b3811f06cf03.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa3f4ba04-466b-419a-86f6-2fe1300b4670.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs231292ed-84da-4013-b03d-be6cbd1010c6.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1591529f-676b-4201-8257-3756c5053f25.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd3b8cffe-b0c3-4c40-bb0a-1de1676bf9af.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7c3a1bde-78b3-4491-93a5-96ae0ac75ee3.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3c98f731-0948-492e-a78f-26d3a8f8065b.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9b97e266-0a84-4ec4-bdd7-11d116878613.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf511b59b-8dce-4a95-87f2-20378b70e558.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d9de90b-d02b-4f93-806a-5d4ce383b7c2.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs70ef6537-cb82-44ce-b462-c31af724610f.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs81cfb0b9-0460-4e2f-995b-c1f0ed949aa9.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfdb51d09-55ef-486b-aef2-883e39071728.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb1de924f-7b4f-4c36-a182-dca53880e454.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7138f89c-ba6f-4017-aea3-827ac31f9045.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e48ce59-f4e9-48b7-a15c-24916a1ad7e7.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs09d32501-c071-4ebe-b931-7bbb440c3408.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2fd46421-3294-46e9-ac2a-59c39c6b8ac9.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs190da31e-beed-4bda-962f-e275affef6f4.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd86a3069-9f85-4bd0-913b-3da16afa2087.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e536ab1-ff1f-4150-bef7-a48eaf7ec54c.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c1bf4ba-be12-4acd-9262-3ec8bf0e5133.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs84cee43f-c7cd-49b4-b8f9-0805af0745da.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs267513cd-9877-4a37-9bf1-7c48679013d6.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa08b4eee-b2fc-4904-abe1-aa88f62d85b6.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb49311d0-36f8-4c2a-b061-3ad8bdc6b19a.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscecfd79e-67ff-46e9-bcf2-4959fc230958.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs970938ef-1344-4fd7-b9fc-e951e3ab4c3e.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd22c035c-ba45-44ea-8f9b-f66d409af88f.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa780d29b-596a-428a-9832-cfa2897850fc.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs64822b8d-1357-4865-adfd-d14985be4afd.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc24d809a-5262-4fc4-b9e0-851bd8ded173.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc70ff6ba-8641-4473-ab22-3b17e345d439.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs25929e7d-1192-4a91-8dc9-74ea44f589a5.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbd5029f4-bae9-493c-9f67-3873bcac5ce8.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs58009508-3126-4a82-a6ce-229a260a870a.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs93c73747-8188-4761-b566-4d13108858d9.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbf159215-18bf-4e78-8a9a-ed021377bcf1.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a4c8e2c-b2c4-4ded-b783-29e29c33bbbf.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd2956263-2c0f-4050-b9c6-e7dee26b9bfa.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd248aad7-ee4e-48fa-a18c-9ac17a7ec7a0.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7d8ae7fa-5f35-4991-aaf7-a0ad12dbcb1f.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs75d9dc9f-2bbc-4f6b-a7e6-65d0f8da72cf.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs487cbb99-bd43-487a-bc7d-2f38f6952359.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4274e745-ef01-4aa2-abec-ecdc7b8f4c9f.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscde7ca2f-74bc-4e8c-b234-2b88d874ea10.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1a5883b0-80cf-4056-901f-c369a18724dc.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7d0a851a-e763-43a0-bbf3-a014b1be83e8.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ecabb88-838a-476a-88b1-52c3e5097061.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs58cda6a1-0e0c-4ade-9219-87f1cb755a3a.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d0382bd-142f-413a-8435-edc1ed0825d4.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5661f4fb-dda9-469d-be62-a20de3310e08.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc6ce9128-6ddd-4c9f-97c3-c225c7190bc9.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2093ceeb-895b-4610-986c-11ac3aa25a78.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs46b5b974-bb37-4c8e-a0c0-980e87fb24f7.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs432262a2-32ef-439e-904e-91f947e0f61f.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc82f6d3d-63bf-46ef-a623-ad5a82157f6a.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbd799bf8-41b6-42da-bf3f-ea0e136afa19.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs797a0505-2944-4f13-8cdc-bd5a3c607825.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8dd7bd8e-f2dd-4874-9ea4-45c36aba59b2.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsad180eba-1b7a-404a-bf6c-b817453d5c06.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs98d062b3-86dd-48bc-9f48-a61a2fc458c3.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2710d02e-2f7c-4d9a-9c31-dbb3521ce37f.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse856c04d-8a83-47dc-8245-b3a5aeb8c099.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5ce12604-994d-4e12-8103-73cd06dede89.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8bd9532b-068d-44fc-a280-e6d73f04c5ef.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs13900ede-7929-4721-ba6f-29907131ef98.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf7e6c983-84c1-4be2-9a52-6d336702bc00.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc83e50ce-744a-45af-ba7b-6ae6c391cab9.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa88e9670-9e51-4fbf-b101-58ba2dcfe5bd.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs43408bcf-9f85-4014-ae55-c30066f7e113.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse7710755-0085-4cfd-ad1f-74d2728c2854.tmp". The process cannot access the file because it is being used by another process
11:06 AM: Warning: Failed to open file "c:\documents and se

#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 22 October 2005 - 12:23 PM

Erm.. The log seems incomplete. :thumbsup:

I would also require a new HiJackThis log.

#6 vnzjunk

vnzjunk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 22 October 2005 - 12:59 PM

I'll run another one.

Erm.. The log seems incomplete. :thumbsup:

I would also require a new HiJackThis log.



Here is the latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:55:23 PM, on 10/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\DeskPro\Desktop\spybotFIXES\HijackThis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\vtutu.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [suneqxr] C:\WINDOWS\suneqxr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03ce14f2ee7175...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120406709202
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...ag/imloader.cab
O20 - Winlogon Notify: vtutu - C:\WINDOWS\System32\vtutu.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



I'll run another one.


Erm.. The log seems incomplete. :flowers:

I would also require a new HiJackThis log.



#7 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 22 October 2005 - 01:21 PM

Please uninstall this program using Add/Remove Programs:

ViewPoint


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\vtutu.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [suneqxr] C:\WINDOWS\suneqxr.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03ce14f2ee7175...ip/RdxIE601.cab
O20 - Winlogon Notify: vtutu - C:\WINDOWS\System32\vtutu.dll (file missing)



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\Viewpoint\
Locate and delete the following files:
  • C:\WINDOWS\suneqxr.exe
    C:\WINDOWS\System32\ututv
    << delete all instances of this file
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  • Select Drive C: & click the 'OK' button
  • Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click the 'OK' button
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Edited by sUBs, 22 October 2005 - 01:22 PM.


#8 vnzjunk

vnzjunk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 22 October 2005 - 03:24 PM

Here are the latest online scan results and the latest HJT report

Logfile of HijackThis v1.99.1
Scan saved at 4:18:18 PM, on 10/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\DeskPro\Desktop\spybotFIXES\HijackThis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120406709202
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...ag/imloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Incident Status Location

Adware:adware program Reported C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/savenow Reported Windows Registry
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\DeskPro\Cookies\deskpro@hitbox[2].txt
Spyware:Cookie/Bfast Reported C:\Documents and Settings\DeskPro\Cookies\deskpro@bfast[1].txt
Adware:Adware/BigTrafficNet Reported C:\Windows\SYSTEM32\nsqA.dll
Adware:Adware/BigTrafficNet Reported C:\Windows\SYSTEM32\nsu346.dll
Spyware:Cookie/AbetterinternetReported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAC.tmp
Spyware:Cookie/2o7.net Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBD.tmp
Spyware:Cookie/Advertising Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBF.tmp
Spyware:Cookie/Atlas DMT Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC0.tmp
Spyware:Cookie/Bfast Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC1.tmp
Spyware:Cookie/BurstNet Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC2.tmp
Spyware:Cookie/Com.com Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC5.tmp
Spyware:Cookie/Doubleclick Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC9.tmp
Spyware:Cookie/FastClick Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCB.tmp
Spyware:Cookie/Findwhat Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCC.tmp
Spyware:Cookie/Mediaplex Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCD.tmp
Spyware:Cookie/QuestionMarket Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCE.tmp
Spyware:Cookie/Advertising Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD0.tmp
Spyware:Cookie/Traffic MarketplaceReported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD1.tmp
Spyware:Cookie/Adserver Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD5.tmp
Spyware:Cookie/Zedo Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD6.tmp
Spyware:Cookie/AbetterinternetReported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7C4.tmp
Spyware:Cookie/AspinallsOnlineCasinoReported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp
Spyware:Cookie/Traffic MarketplaceReported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp
Spyware:Cookie/Advertising Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
Spyware:Cookie/Bluestreak Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp
Spyware:Cookie/bravenetA Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp
Spyware:Cookie/BurstNet Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp
Spyware:Cookie/FastClick Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp
Spyware:Cookie/Hitbox Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp
Spyware:Cookie/Hitbox Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
Spyware:Cookie/QuestionMarket Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp
Spyware:Cookie/SAHAgent Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp
Spyware:Cookie/Tradedoubler Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp
Spyware:Cookie/Valueclick Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
Spyware:Cookie/Tribalfusion Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp
Spyware:Cookie/Advertising Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp
Spyware:Cookie/Mediaplex Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp
Spyware:Cookie/Linksynergy Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp
Spyware:Cookie/Findwhat Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp
Spyware:Cookie/Doubleclick Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp
Spyware:Cookie/Coremetrics Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\DeskPro\Cookies\deskpro@hitbox[2].txt
Spyware:Cookie/Bfast Reported C:\Documents and Settings\DeskPro\Cookies\deskpro@bfast[1].txt
Spyware:Spyware/SafeSurf Reported C:\Documents and Settings\darla\Local Settings\Temp\ExtractDLL.dll
Adware:Adware/CWS Reported C:\Documents and Settings\darla\Local Settings\Temporary Internet Files\Content.IE5\81I3YBGL\menus[1].js
Adware:Adware/CWS Reported C:\Documents and Settings\darla\Local Settings\Temporary Internet Files\Content.IE5\VR9H91XQ\menus[1].js
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\darla\Cookies\darla@mediaplex[1].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\darla\Cookies\darla@doubleclick[2].txt
Spyware:Cookie/Target Reported C:\Documents and Settings\darla\Cookies\darla@target[1].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\darla\Cookies\darla@hitbox[1].txt
Spyware:Cookie/Searchportal Reported C:\Documents and Settings\darla\Cookies\darla@searchportal.information[2].txt
Spyware:Cookie/Com.com Reported C:\Documents and Settings\darla\Cookies\darla@com[2].txt
Spyware:Cookie/Buydomains Reported C:\Documents and Settings\darla\Cookies\darla@www47.buydomains[1].txt
Spyware:Spyware/SafeSurf Reported C:\Documents and Settings\Guest\Local Settings\Temp\ExtractDLL.dll
Spyware:Cookie/Target Reported C:\Documents and Settings\Guest\Cookies\guest@target[2].txt
Spyware:Cookie/Errorguard Reported C:\Documents and Settings\heather\Cookies\heather@errorguard[2].txt
Spyware:Cookie/Target Reported C:\Documents and Settings\heather\Cookies\heather@target[1].txt
Spyware:Spyware/SafeSurf Reported C:\Documents and Settings\Heather_2\Local Settings\Temp\ExtractDLL.dll


Please uninstall this program using Add/Remove Programs:

ViewPoint


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\vtutu.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [suneqxr] C:\WINDOWS\suneqxr.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03ce14f2ee7175...ip/RdxIE601.cab
O20 - Winlogon Notify: vtutu - C:\WINDOWS\System32\vtutu.dll (file missing)



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\Viewpoint\
Locate and delete the following files:
  • C:\WINDOWS\suneqxr.exe
    C:\WINDOWS\System32\ututv
    << delete all instances of this file
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  • Select Drive C: & click the 'OK' button
  • Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click the 'OK' button
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 22 October 2005 - 07:07 PM

Please disable Webroot SpySweeper, as it hinders the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automaticly restore default without notifiction
Have HijackThis fix these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O16 - DPF: Win32 Classes -




Delete these files/folders: (let me know if you fail to find/delete any)

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Windows\SYSTEM32\nsqA.dll
C:\Windows\SYSTEM32\nsu346.dll


C:\Program Files\Yahoo!\YPSR\Quarantine\
>> delete the contents of this folder leaving an empty folder



Download & install this program - CleanUp.exe

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


Reboot your computer & post a new HJT log.
Let me know if you still have any other issues with your computer

Edited by sUBs, 22 October 2005 - 07:08 PM.


#10 vnzjunk

vnzjunk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 22 October 2005 - 08:09 PM

Here is the latest HJT file. How does it look ?

Logfile of HijackThis v1.99.1
Scan saved at 9:04:20 PM, on 10/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\DeskPro\Desktop\spybotFIXES\HijackThis\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120406709202
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...ag/imloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



Please disable Webroot SpySweeper, as it hinders the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:

  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automaticly restore default without notifiction
Have HijackThis fix these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O16 - DPF: Win32 Classes -




Delete these files/folders: (let me know if you fail to find/delete any)

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Windows\SYSTEM32\nsqA.dll
C:\Windows\SYSTEM32\nsu346.dll


C:\Program Files\Yahoo!\YPSR\Quarantine\
>> delete the contents of this folder leaving an empty folder



Download & install this program - CleanUp.exe

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


Reboot your computer & post a new HJT log.
Let me know if you still have any other issues with your computer



#11 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 22 October 2005 - 08:21 PM

Posted Image ..Your system is clean.

Please follow these simple steps in order to keep your computer clean and secure:
  • CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  • Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  • SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  • IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image

Please respond to this thread one more time so we can mark this thread as resolved.

#12 vnzjunk

vnzjunk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 22 October 2005 - 09:02 PM

I have made the changes suggested. Everything apears to be ok at the present. Thanks for your help. It is a shame that these type of things have to be so difficult (time consuming) to resolve, but that is the way that it is for now I guess. Hopefully the precautions that you suggest and the settings that you suggest will help prevent some of the problems in the future.

Many thanks again for your help and have a good evening.


Posted Image ..Your system is clean.

Please follow these simple steps in order to keep your computer clean and secure:

  • CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK



  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK



  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.



  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.



  • Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here



  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here



  • SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here



  • IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here



  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.


  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.


  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.


  • Google Toolbar - Get the free google toolbar to help stop pop up windows.


  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.


  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image

Please respond to this thread one more time so we can mark this thread as resolved.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users