Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.vundo.b


  • This topic is locked This topic is locked
7 replies to this topic

#1 jdfrox

jdfrox

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 20 October 2005 - 10:03 PM

Hi all. I have Norton AntiVirus and it keeps telling me that I have been infected with the Trojan.Vundo.B virus. I have repeatedly tried to delete the file and when I ran the recommended virus removal program, it said the virus was not found. Yet everytime I turn on the computer, it says I have been infected. I have run HijackThis and below is what was found. Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:00:58 PM, on 10/20/2005
Platform: Windows XP SP2
MSIE: Internet Explorer

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Jeremy\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\jkkjj.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:08:32 AM

Posted 21 October 2005 - 04:57 AM

Posted Image

Welcome to the forum. I am checking your log now and will return as soon as I have researched all the items.

While we are working together, please ....
  • Reply to this thread. Do not start a new topic.
  • If you are unsure of what to do, stop and ask! Don't keep going on.
  • Be patient. HijackThis logs take some time to research.
Please note the following:
  • I will be working on your Malware issues: This may or may not, solve other issues you may have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine is clear. (Absence of symptoms does not mean that everything is clear.)
  • The process may take considerable time.

___________________________________________________

You'll need to move HiJackThis.exe out of a temporary directory and into a directory of its own, preferably C:\HJT (creating the folder if necessary).

The reason behind this is that HJT creates backups of every "fix" we do in the folder it's running in. If we happen to "fix" something and need it later on, there is a very good chance that, by that time, that TEMP directory could be purged and our backups would be lost.

If you need a detailed tutorial or just a better explanation as to why, please Look Here

Please move HJT to its own directory and repost your log.
Mat2



Posted Image

#3 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:08:32 AM

Posted 21 October 2005 - 12:17 PM

Hi

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\jkkjj.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINDOWS\system32\jjkkj.*

  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\jkkjj.dll

    O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
Mat2



Posted Image

#4 jdfrox

jdfrox
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 22 October 2005 - 09:23 AM

Hi

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....



  • At this point press enter one time.

  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:



  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\jkkjj.dll

  • Press Enter to continue with the fix.

  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINDOWS\system32\jjkkj.*


  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\jkkjj.dll

    O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll

  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.



Mat - Thanks for your help. It appears that it worked. Here are the results of the active scan and the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 10:15:05 AM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Incident Status Location

Spyware:Cookie/24/7 Realmedia Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@247realmedia[2].txt
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@2o7[1].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@adrevolver[1].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@adrevolver[3].txt
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ads.pointroll[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@advertising[1].txt
Spyware:Cookie/Apmebf Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@apmebf[2].txt
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@as1.falkag[2].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ask[1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt
Spyware:Cookie/Azjmp Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@azjmp[2].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@belnk[1].txt
Spyware:Cookie/Bfast Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@bfast[2].txt
Spyware:Cookie/Bluestreak Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@bluestreak[2].txt
Spyware:Cookie/Bs.serving-sys Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@burstnet[2].txt
Spyware:Cookie/Barelylegal Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@c.fsx[1].txt
Spyware:Cookie/Casalemedia Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@casalemedia[2].txt
Spyware:Cookie/Ccbill Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ccbill[1].txt
Spyware:Cookie/CentrPort Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@centrport[2].txt
Spyware:Cookie/Imrworldwide Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@cgi-bin[4].txt
Spyware:Cookie/360i Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ct.360i[1].txt
Spyware:Cookie/Coremetrics Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@data.coremetrics[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[1].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ehg.hitbox[2].txt
Spyware:Cookie/FastClick Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@fastclick[2].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[1].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[2].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[3].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[4].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[5].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[6].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[7].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@hitbox[2].txt
Spyware:Cookie/Maxserving Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@maxserving[2].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@mediaplex[1].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@overture[1].txt
Spyware:Cookie/PayCounter Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@paycounter[2].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@perf.overture[1].txt
Spyware:Cookie/QkSrv Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@qksrv[2].txt
Spyware:Cookie/Qsrch Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@qsrch[2].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@questionmarket[2].txt
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@realmedia[1].txt
Spyware:Cookie/WUpd Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@revenue[1].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@servedby.advertising[1].txt
Spyware:Cookie/Serving-sys Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@serving-sys[1].txt
Spyware:Cookie/Statcounter Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@statcounter[2].txt
Spyware:Cookie/Reliablestats Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@stats1.reliablestats[2].txt
Spyware:Cookie/WebtrendsLive Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@statse.webtrendslive[2].txt
Spyware:Cookie/Toplist Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@toplist[1].txt
Spyware:Cookie/Tradedoubler Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@tradedoubler[2].txt
Spyware:Cookie/Traffic MarketplaceReported C:\Documents and Settings\Jeremy\Cookies\jeremy@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@tribalfusion[1].txt
Spyware:Cookie/Valueclick Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@valueclick[2].txt
Spyware:Cookie/WebPower Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@webpower[2].txt
Spyware:Cookie/BurstBeacon Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@www.burstbeacon[2].txt
Spyware:Cookie/web-stat Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@www.web-stat[2].txt
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@z1.adserver[1].txt
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@zedo[1].txt
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Angela\Cookies\angela@2o7[2].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Angela\Cookies\angela@adrevolver[1].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Angela\Cookies\angela@adrevolver[3].txt
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Angela\Cookies\angela@ads.pointroll[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Angela\Cookies\angela@advertising[1].txt
Spyware:Cookie/Apmebf Reported C:\Documents and Settings\Angela\Cookies\angela@apmebf[1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Angela\Cookies\angela@atdmt[2].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Angela\Cookies\angela@ath.belnk[2].txt
Spyware:Cookie/Banner Reported C:\Documents and Settings\Angela\Cookies\angela@banner[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Angela\Cookies\angela@belnk[1].txt
Spyware:Cookie/CentrPort Reported C:\Documents and Settings\Angela\Cookies\angela@centrport[2].txt
Spyware:Cookie/Imrworldwide Reported C:\Documents and Settings\Angela\Cookies\angela@cgi-bin[1].txt
Spyware:Cookie/Hitslink Reported C:\Documents and Settings\Angela\Cookies\angela@counter.hitslink[2].txt
Spyware:Cookie/Coremetrics Reported C:\Documents and Settings\Angela\Cookies\angela@data.coremetrics[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Angela\Cookies\angela@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Angela\Cookies\angela@doubleclick[1].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Angela\Cookies\angela@go[1].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Angela\Cookies\angela@hitbox[1].txt
Spyware:Cookie/Linksynergy Reported C:\Documents and Settings\Angela\Cookies\angela@linksynergy[1].txt
Spyware:Cookie/Maxserving Reported C:\Documents and Settings\Angela\Cookies\angela@maxserving[2].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Angela\Cookies\angela@mediaplex[1].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Angela\Cookies\angela@overture[1].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Angela\Cookies\angela@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Angela\Cookies\angela@questionmarket[1].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Angela\Cookies\angela@servedby.advertising[2].txt
Spyware:Cookie/Reliablestats Reported C:\Documents and Settings\Angela\Cookies\angela@stats1.reliablestats[2].txt
Spyware:Cookie/BurstBeacon Reported C:\Documents and Settings\Angela\Cookies\angela@www.burstbeacon[1].txt
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Angela\Cookies\angela@z1.adserver[1].txt
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Angela\Cookies\angela@zedo[1].txt
Spyware:Cookie/24/7 Realmedia Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@247realmedia[2].txt
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@2o7[1].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@adrevolver[1].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@adrevolver[3].txt
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ads.pointroll[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@advertising[1].txt
Spyware:Cookie/Apmebf Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@apmebf[2].txt
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@as1.falkag[2].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ask[1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt
Spyware:Cookie/Azjmp Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@azjmp[2].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@belnk[1].txt
Spyware:Cookie/Bfast Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@bfast[2].txt
Spyware:Cookie/Bluestreak Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@bluestreak[2].txt
Spyware:Cookie/Bs.serving-sys Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@burstnet[2].txt
Spyware:Cookie/Casalemedia Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@casalemedia[2].txt
Spyware:Cookie/Ccbill Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ccbill[1].txt
Spyware:Cookie/CentrPort Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@centrport[2].txt
Spyware:Cookie/Imrworldwide Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@cgi-bin[4].txt
Spyware:Cookie/360i Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ct.360i[1].txt
Spyware:Cookie/Coremetrics Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@data.coremetrics[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[1].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@ehg.hitbox[2].txt
Spyware:Cookie/FastClick Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@fastclick[2].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[1].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[2].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[3].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[4].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[5].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[6].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@go[8].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@hitbox[2].txt
Spyware:Cookie/Maxserving Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@maxserving[2].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@mediaplex[1].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@overture[1].txt
Spyware:Cookie/PayCounter Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@paycounter[2].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@perf.overture[1].txt
Spyware:Cookie/QkSrv Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@qksrv[2].txt
Spyware:Cookie/Qsrch Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@qsrch[2].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@questionmarket[2].txt
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@realmedia[1].txt
Spyware:Cookie/WUpd Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@revenue[1].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@servedby.advertising[1].txt
Spyware:Cookie/Serving-sys Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@serving-sys[1].txt
Spyware:Cookie/Statcounter Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@statcounter[2].txt
Spyware:Cookie/Reliablestats Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@stats1.reliablestats[2].txt
Spyware:Cookie/WebtrendsLive Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@statse.webtrendslive[2].txt
Spyware:Cookie/Toplist Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@toplist[1].txt
Spyware:Cookie/Tradedoubler Reported C:\Documents and Settings\Jeremy\Cookies\jeremy@tradedoubler[2].txt
Spyware:Cookie/Traffic MarketplaceReported C:\Documents and Settings

#5 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:08:32 AM

Posted 22 October 2005 - 09:54 AM

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we may need windows to restart in Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

===================

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
===============
Please go to:
  • start
  • control panel
  • add/remove programs
Find and remove these programs (if they are present)
  • myway


===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll


O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Post back a new log, and let me know how everything goes.

Edited by Mat2, 22 October 2005 - 12:00 PM.

Mat2



Posted Image

#6 jdfrox

jdfrox
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 23 October 2005 - 10:14 AM

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we may need windows to restart in Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

===================

Download CCleaner from here to clean temp files from your computer.

  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
===============
Please go to:
  • start
  • control panel
  • add/remove programs
Find and remove these programs (if they are present)
  • myway


===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll


O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Post back a new log, and let me know how everything goes.


===============

Matthew

Here is my new log. Everything seems to be working fine.

Logfile of HijackThis v1.99.1
Scan saved at 11:11:35 AM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#7 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:08:32 AM

Posted 23 October 2005 - 10:22 AM

Hi

Thanks for the new log

i will go over it and report back shortly



Hi

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:


Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Download Adaware

Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this

The program is available for download here

Download Spybot

Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here

Spybot can be downloaded from here

Download SpywareBlaster

Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here

You can download SpywareBlaster here

Download iespyad

It puts many bad webpages on your restricted zones list. This means that you can still view the "bad" webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here

Download it from here

hosts file:

o Every version of windows has a hosts file as part of them.
o In a very basic sense, they are used to locate webpages.
o We can customize a hosts file so that it blocks certain webpages.
o However, it can slow down certain computers.
o This is why using a hosts file is optional!!

Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

Click the start button (at the lower left hand corner of your screen)
Click run
In the dialog box, type services.msc
hit enter, then locate dns client
Highlight it, then double-click it.
On the dropdown box, change the setting from automatic to manual.
Click ok

Use a Firewall - I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below

Software Firewalls

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:

Antivirus Software

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit Windows Update Site regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Mat2



Posted Image

#8 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:08:32 AM

Posted 25 October 2005 - 09:28 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic.

This applies only to the original topic starter.

Everyone else please begin a New Topic.

Mat2



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users