Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need Help!...again


  • This topic is locked This topic is locked
19 replies to this topic

#1 Fernando

Fernando

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 20 October 2005 - 11:31 PM

my friend recently upgraded to a better computer and gave me his old one. The only problem is that it's slow and crammed full of viruses/sypware/adware/ and possibly even malware. So i attached the HijackThis log and hopefully somebody will be able to help me delete all of them. Thanks in advance! (keep in mind...the previous owner was a 16 year old, so don't judge me.)

Logfile of HijackThis v1.99.1
Scan saved at 11:12:30 PM, on 10/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\winstall.exe
C:\winstall.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\split1.exe
C:\WINDOWS\System32\split2.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\split2.exe
C:\WINDOWS\System32\split1.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\vxgame6.exe
C:\Documents and Settings\danny\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 127.0.0.4 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.4 x.full-tgp.net
O1 - Hosts: 127.0.0.4 counter.sexmaniack.com
O1 - Hosts: 127.0.0.4 autoescrowpay.com
O1 - Hosts: 127.0.0.4 www.autoescrowpay.com
O1 - Hosts: 127.0.0.4 www.awmdabest.com
O1 - Hosts: 127.0.0.4 www.sexfiles.nu
O1 - Hosts: 127.0.0.4 awmdabest.com
O1 - Hosts: 127.0.0.4 sexfiles.nu
O1 - Hosts: 127.0.0.4 allforadult.com
O1 - Hosts: 127.0.0.4 www.allforadult.com
O1 - Hosts: 127.0.0.4 www.iframe.biz
O1 - Hosts: 127.0.0.4 iframe.biz
O1 - Hosts: 127.0.0.4 www.newiframe.biz
O1 - Hosts: 127.0.0.4 newiframe.biz
O1 - Hosts: 127.0.0.4 www.vesbiz.biz
O1 - Hosts: 127.0.0.4 vesbiz.biz
O1 - Hosts: 127.0.0.4 www.pizdato.biz
O1 - Hosts: 127.0.0.4 pizdato.biz
O1 - Hosts: 127.0.0.4 www.aaasexypics.com
O1 - Hosts: 127.0.0.4 aaasexypics.com
O1 - Hosts: 127.0.0.4 www.virgin-tgp.net
O1 - Hosts: 127.0.0.4 virgin-tgp.net
O1 - Hosts: 127.0.0.4 www.awmcash.biz
O1 - Hosts: 127.0.0.4 awmcash.biz
O1 - Hosts: 127.0.0.4 buldog-stats.com
O1 - Hosts: 127.0.0.4 www.buldog-stats.com
O1 - Hosts: 127.0.0.4 fregat.drocherway.com
O1 - Hosts: 127.0.0.4 slutmania.biz
O1 - Hosts: 127.0.0.4 www.slutmania.biz
O1 - Hosts: 127.0.0.4 toolbarpartner.com
O1 - Hosts: 127.0.0.4 www.toolbarpartner.com
O1 - Hosts: 127.0.0.4 www.megapornix.com
O1 - Hosts: 127.0.0.4 megapornix.com
O1 - Hosts: 127.0.0.4 www.sp2bleeped.biz
O1 - Hosts: 127.0.0.4 sp2bleeped.biz
O1 - Hosts: 127.0.0.4 greg-tut.com
O1 - Hosts: 127.0.0.4 www.greg-tut.com
O1 - Hosts: 127.0.0.4 nylonsexy.com
O1 - Hosts: 127.0.0.4 www.nylonsexy.com
O1 - Hosts: 127.0.0.4 vparivalka.com
O1 - Hosts: 127.0.0.4 www.vparivalka.com
O1 - Hosts: 127.0.0.4 iframeprofit.com
O1 - Hosts: 127.0.0.4 www.iframeprofit.com
O1 - Hosts: 127.0.0.4 topsearch10.com
O1 - Hosts: 127.0.0.4 www.topsearch10.com
O1 - Hosts: 127.0.0.4 statscash.biz
O1 - Hosts: 127.0.0.4 www.statscash.biz
O1 - Hosts: 127.0.0.4 vxiframe.biz
O1 - Hosts: 127.0.0.4 www.vxiframe.biz
O1 - Hosts: 127.0.0.4 crazy-toolbar.com
O1 - Hosts: 127.0.0.4 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.4 topcash.biz
O1 - Hosts: 127.0.0.4 www.topcash.biz
O1 - Hosts: 127.0.0.4 loadcash.biz
O1 - Hosts: 127.0.0.4 www.loadcash.biz
O1 - Hosts: 127.0.0.4 txiframe.biz
O1 - Hosts: 127.0.0.4 www.txiframe.biz
O1 - Hosts: 127.0.0.4 procounter.biz
O1 - Hosts: 127.0.0.4 www.procounter.biz
O1 - Hosts: 127.0.0.4 advadmin.biz
O1 - Hosts: 127.0.0.4 www.advadmin.biz
O1 - Hosts: 127.0.0.4 trafficbest.net
O1 - Hosts: 127.0.0.4 www.trafficbest.net
O1 - Hosts: 127.0.0.4 besthvac.com
O1 - Hosts: 127.0.0.4 www.besthvac.com
O1 - Hosts: 127.0.0.4 traff4.com
O1 - Hosts: 127.0.0.4 www.traff4.com
O1 - Hosts: 127.0.0.4 ambush-script.com
O1 - Hosts: 127.0.0.4 www.ambush-script.com
O1 - Hosts: 127.0.0.4 beehappyy.biz
O1 - Hosts: 127.0.0.4 www.beehappyy.biz
O1 - Hosts: 127.0.0.4 tracktraff.cc
O1 - Hosts: 127.0.0.4 www.tracktraff.cc
O1 - Hosts: 127.0.0.4 allcount.net
O1 - Hosts: 127.0.0.4 www.allcount.net
O1 - Hosts: 127.0.0.4 onedayoffer.biz
O1 - Hosts: 127.0.0.4 www.onedayoffer.biz127.0.0.1 downloads1.kaspersky-labs.com
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {09E9343D-9C2E-4804-885C-991B0E4EA0E8} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: C:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - C:\WINDOWS\system32\st3.dll
O2 - BHO: (no name) - {3620897D-6FB9-493B-EE31-6B44F2B2ADE8} - C:\WINDOWS\System32\cai.dll
O2 - BHO: C:\WINDOWS\q87406.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q87406.dll
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\performent011.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {B023AA40-60FB-4789-97D4-B24261245839} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker011.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {EFBA909D-3DBB-43AC-9473-583AF03732BA} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb011.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb011.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Remote Login Services] winservices.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt mt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=5060
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q3414062.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\q87406.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: B0FEGDCB - {52BC7D88-5C0B-72BF-6B21-12EC55625A6F} - C:\WINDOWS\System32\Heinng32.dll (file missing)
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\kbdhllfd.dll
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\oeofbqof.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Hjmiqjhf.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Fernando

Fernando
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 21 October 2005 - 12:42 AM

i deleted some stuff and cleaned up with CCleaner and now this is the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:30 AM, on 10/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\winstall.exe
C:\winstall.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\split1.exe
C:\WINDOWS\System32\split2.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\split2.exe
C:\WINDOWS\System32\split1.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\maxd1.exe
C:\Documents and Settings\danny\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\maxd1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {09E9343D-9C2E-4804-885C-991B0E4EA0E8} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: C:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - C:\WINDOWS\system32\st3.dll
O2 - BHO: (no name) - {3620897D-6FB9-493B-EE31-6B44F2B2ADE8} - C:\WINDOWS\System32\cai.dll
O2 - BHO: C:\WINDOWS\q87406.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q87406.dll
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\performent011.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {B023AA40-60FB-4789-97D4-B24261245839} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker011.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {EFBA909D-3DBB-43AC-9473-583AF03732BA} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb011.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb011.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Remote Login Services] winservices.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt mt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=5060
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q4370406.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\q87406.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: B0FEGDCB - {52BC7D88-5C0B-72BF-6B21-12EC55625A6F} - C:\WINDOWS\System32\Heinng32.dll (file missing)
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\kbdhllfd.dll
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\oeofbqof.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Hjmiqjhf.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#3 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:06:19 AM

Posted 21 October 2005 - 09:44 AM

Posted Image

Welcome to the forum. I am checking your log now and will return as soon as I have researched all the items.

While we are working together, please ....
  • Reply to this thread. Do not start a new topic.
  • If you are unsure of what to do, stop and ask! Don't keep going on.
  • Be patient. HijackThis logs take some time to research.
Please note the following:
  • I will be working on your Malware issues: This may or may not, solve other issues you may have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine is clear. (Absence of symptoms does not mean that everything is clear.)
  • The process may take considerable time.

Mat2



Posted Image

#4 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:06:19 AM

Posted 21 October 2005 - 10:54 AM

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

========

The first job is unhide system files as follows:
  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View Tab
  • Under the Hidden files and folders heading select Show hidden files and folders
  • Uncheck the Hide protected operating system files (recommended) option
  • Click Yes to confirm
  • Click OK
========
Please download hoster from the link below.

Hoster

Unzip Hoster.zip

Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.

Empty Recycle Bin

==============
Please download Ewido Security Suite, it is a free version of the program.
  • Install ewido security suite
  • When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should now be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Close Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

Once the updates are installed, do the following:
  • Reboot computer into "Safe Mode" using the "F8" method...
    • As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
    • Use the arrow keys to select the Safe Mode menu item
  • Once in Safe Mode start Ewido Security Suite
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Security Suite
=======
Restart back into normal mode.

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

vxh8jkdq2.exe*
vxgamet2.exe*
split1.exe*
split2.exe*
updatesecurity.exe*
vxgame6.exe*
maxd1.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Web Related

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\paytime.exe
C:\winstall.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\split1.exe
C:\WINDOWS\System32\split2.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\maxd1.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u st3.dll
regsvr32 /u q87406.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: C:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - C:\WINDOWS\system32\st3.dll
O2 - BHO: C:\WINDOWS\q87406.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q87406.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker011.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb011.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb011.dll (file missing)

O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=5060

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q4370406.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\q87406.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll

O21 - SSODL: B0FEGDCB - {52BC7D88-5C0B-72BF-6B21-12EC55625A6F} - C:\WINDOWS\System32\Heinng32.dll (file missing)
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\kbdhllfd.dll
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\oeofbqof.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Hjmiqjhf.dll (file missing)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\paytime.exe
C:\winstall.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\split1.exe
C:\WINDOWS\System32\split2.exe
C:\WINDOWS\System32\updatesecurity.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\maxd1.exe
C:\WINDOWS\system32\st3.dll
C:\WINDOWS\q87406.dll
C:\WINDOWS\q4370406.dll
C:\WINDOWS\SYSTEM32\tcpG4T.dll
C:\WINDOWS\System32\kbdhllfd.dll

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from Safe Mode as follows:

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.

===============

Run Windows in normal mode. Post back a HJT new log, also Ewido log and let me know how everything goes.

Edited by Mat2, 21 October 2005 - 11:02 AM.

Mat2



Posted Image

#5 Fernando

Fernando
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 21 October 2005 - 08:39 PM

i cleaned as many files as i could but i could not delete

C:\WINDOWS\system32\st3.dll

i tried it in Safe Mode but it wouldn't delete. Everything else was deleted. My system is running faster and more efficiently. i'll attach the logs.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:41:29 PM, 10/21/2005
+ Report-Checksum: 7E5A5F27

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{39DA2444-065F-47CB-B27C-CCB1A39C06B7} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}\TypeLib\\ -> Spyware.SimpleBar : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{FFF5092F-7172-4018-827B-FA5868FB0478}\TypeLib\\ -> Spyware.SimpleBar : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} -> Spyware.SimpleBar : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib\\ -> Spyware.SimpleBar : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\TypeLib\\ -> Spyware.SimpleBar : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\TypeLib\\ -> Spyware.SimpleBar : Cleaned without backup
HKLM\SOFTWARE\Classes\MEDIATICKETSINSTALLER.MediaTicketsInstallerCtrl.1 -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Classes\MEDIATICKETSINSTALLER.MediaTicketsInstallerCtrl.1\CLSID\\ -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77} -> Spyware.SimpleBar : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.activator -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CLSID -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CLSID\\ -> Spyware.ZToolbar : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CurVer -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.activator.1 -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.activator.1\CLSID\\ -> Spyware.ZToolbar : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CLSID -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CLSID\\ -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CurVer -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar.1 -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar.1\CLSID\\ -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\CLSID -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\.Owner -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!! -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaTickets -> Spyware.PurityScan : Cleaned without backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned without backup
HKU\S-1-5-21-112871519-2841629762-1622924706-1008\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned without backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
[204] C:\WINDOWS\q87406.dll -> TrojanDownloader.Delf.h : Cleaned without backup
[692] C:\WINDOWS\q87406.dll -> TrojanDownloader.Delf.h : Error during cleaning
[748] C:\WINDOWS\System32\kernels32.exe -> TrojanDownloader.Agent.ws : Cleaned without backup
[764] C:\WINDOWS\System32\vxh8jkdq2.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
[772] C:\WINDOWS\System32\vxh8jkdq6.exe -> TrojanDownloader.Agent.wq : Cleaned without backup
[784] C:\WINDOWS\System32\vxh8jkdq7.exe -> TrojanDownloader.Agent.wq : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\1800.tmp -> Trojan.LowZones.y : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\1984.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\2692.tmp -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\2708.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\2728.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\2792.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\2864.tmp -> Dialer.Generic : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\2956.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3040.tmp -> Trojan.LowZones.y : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3228.tmp -> Trojan.LowZones.y : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3232.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3260.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3264.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3328.tmp -> Dialer.Generic : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3348.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3404.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3468.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3560.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3568.tmp -> Dialer.Generic : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\018907300\3620.tmp -> Trojan.LowZones.y : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temp\2.qtdfmp -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\mtrslib2[1].js -> TrojanDownloader.Small.ag : Cleaned without backup
C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\mtrslib2[3].js -> TrojanDownloader.Small.ag : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@e-2dj6wfkisnczobp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@e-2dj6wflyooc5eap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@e-2dj6wjkykjcjaap.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@e-2dj6wjkyolajgao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@e-2dj6wjl4eoczkho.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@e-2dj6wjlokpajcbq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@ehg-electricbusiness.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@ehg-lowermybills.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@ehg-melbourneit.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@overture[1].txt -> Spyware.Cookie.Overture : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned without backup
C:\Documents and Settings\Catalina\Cookies\catalina@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temp\5.qtdfmp -> TrojanDownloader.Small.awa : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temp\6.qtdfmp -> TrojanDownloader.Agent.wq : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temp\7.qtdfmp -> TrojanDownloader.Agent.wq : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temp\maxdd.game -> Dialer.Generic : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\CP2FOTU3\001[1].exe -> Spyware.Hijacker.Generic : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\CP2FOTU3\hosts[1].txt -> Trojan.Qhost.dx : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\CP2FOTU3\q387[2].exe -> Dialer.Generic : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\CTUN4XYJ\MediaTicketsInstaller[2].cab/MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\CTUN4XYJ\tool2[1].txt -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\CTUN4XYJ\win32[1].exe -> TrojanDownloader.Agent.ws : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\G1EZK5AV\12[1].exe -> TrojanDropper.Small.age : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\G1EZK5AV\adsldpbc[1].dll -> TrojanDownloader.Delf.lh : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\G1EZK5AV\count[1].htm -> TrojanDownloader.Inor.a : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\G1EZK5AV\kl[1].txt -> TrojanDropper.Agent.xr : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\G1EZK5AV\mtrslib2[2].js -> TrojanDownloader.Small.ag : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\G1EZK5AV\paytime[1].txt -> Trojan.Small.fx : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\G1EZK5AV\ztoolbar[1].bmp -> Spyware.TNS-Search : Cleaned without backup
C:\Documents and Settings\Catalina\Local Settings\Temporary Internet Files\Content.IE5\Y5G7EH4P\tool1[1].txt -> TrojanDownloader.Small.bnt : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@com[2].txt -> Spyware.Cookie.Com : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\1208.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\1212.tmp -> TrojanDropper.Small.acg : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\1832.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2056.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2060.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2064.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2436.tmp -> TrojanDownloader.Small.biq : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2440.tmp -> Backdoor.Agent.iw : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2448.tmp -> Trojan.LowZones.y : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2504.tmp -> TrojanDropper.Small.acg : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2508.tmp -> TrojanDropper.Small.acg : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2512.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2540.tmp -> TrojanDownloader.Small.biq : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2628.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2664.tmp -> TrojanDropper.Small.acg : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2776.tmp -> Trojan.Crypt.l : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2824.tmp -> Trojan.LowZones.y : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2844.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2872.tmp -> TrojanDropper.Small.acg : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\2896.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\292.tmp -> TrojanDropper.Small.acg : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3060.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3200.tmp -> TrojanDownloader.Small.biq : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3204.tmp -> Dialer.Generic : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3212.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3268.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3316.tmp -> Backdoor.Agent.iw : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3452.tmp -> Dialer.Generic : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3580.tmp -> Trojan.LowZones.y : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\3756.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\4004.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\664.tmp -> Trojan.Crypt.l : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\964.tmp -> Backdoor.Agent.iw : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\984.tmp -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\018907300\988.tmp -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\vx1.game -> TrojanDropper.Small.acg : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\vx2.game -> Backdoor.Agent.iw : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\vx3.game -> TrojanDownloader.Small.biq : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\vx4.game -> Dialer.Generic : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\vx6.game -> Trojan.LowZones.y : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\vxt1.game -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\vxt2.game -> TrojanProxy.Lager.x : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temp\vxt3.game -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\latest[1].exe -> Trojan.Crypt.l : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\mtrslib2[3].js -> TrojanDownloader.Small.ag : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\latest[1].exe -> Trojan.Crypt.l : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wfkokjc5clp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wfkouod5aep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wfliwkajmdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wjnygmczifp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wjnygndzidp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\Guest\Cookies\guest@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned without backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> TrojanSpy.Small.dg : Cleaned without backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\base.avd -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\base001.avd -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\base002.avd -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\heur000.dll -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\heur001.dll -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\heur002.dll -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\heur003.dll -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned without backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0052671.exe -> Backdoor.Agent.iw : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0052672.exe -> TrojanDownloader.Small.biq : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0052673.exe -> Spyware.Hijacker.Generic : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0052674.exe -> Trojan.Crypt.l : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0052675.exe -> TrojanDownloader.Small.bho : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0052678.dll -> Worm.Prox.c : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0059721.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0059735.exe -> Spyware.MediaTickets : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0059736.exe -> Spyware.MediaTickets : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060720.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060724.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060725.exe -> TrojanProxy.Lager.x : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060726.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061720.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061724.exe -> Spyware.Zbar : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061725.exe -> Worm.Padobot.z : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061726.sys -> TrojanSpy.Qukart.s : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061727.exe -> TrojanDownloader.Small.biq : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061728.exe -> Worm.Padobot.z : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061731.exe -> TrojanDropper.Small.afo : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061732.dll -> Worm.Padobot.z : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061733.exe -> Trojan.Crypt.l : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061734.exe -> TrojanDropper.Microjoin : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061735.exe -> TrojanDropper.Small.acz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061736.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061737.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061738.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061739.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061740.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061741.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061742.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061743.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061744.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061745.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061746.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061747.dll -> Trojan.Small : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061748.dll -> Trojan.Small : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061749.exe -> Backdoor.Agent.iw : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061750.exe -> Trojan.Qhost.n : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061751.exe -> Trojan.Qhost.n : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061752.exe -> Trojan.Qhost.n : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061753.dll -> TrojanDownloader.Small.anu : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061754.exe -> Trojan.Crypt.l : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061756.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061757.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061758.exe -> TrojanProxy.Lager.x : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061759.exe -> Dialer.Generic : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0061760.exe -> Trojan.LowZones.y : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0062993.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0062998.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0063000.exe -> TrojanProxy.Lager.x : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0063001.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0063995.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0064207.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0064208.exe -> TrojanDropper.Small.acg : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0064209.exe -> TrojanProxy.Lager.x : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0064210.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0064213.exe -> Dialer.Generic : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0064214.exe -> Trojan.LowZones.y : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0064215.exe -> Spyware.MediaTickets : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0064216.exe -> Spyware.MediaTickets : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065223.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\WINDOWS\0ujg4yeo.exe -> TrojanDownloader.Agent.wn : Cleaned without backup
C:\WINDOWS\adsldpbc.dll -> TrojanDownloader.Delf.lh : Cleaned without backup
C:\WINDOWS\desktop.html -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned without backup
C:\WINDOWS\hosts -> Trojan.Qhost.dx : Cleaned without backup
C:\WINDOWS\kl.exe -> TrojanDropper.Agent.xr : Cleaned without backup
C:\WINDOWS\loadnew.exe -> TrojanDownloader.Agent.wn : Cleaned without backup
C:\WINDOWS\mtuninst.exe -> Spyware.MediaTickets : Cleaned without backup
C:\WINDOWS\q87406.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\WINDOWS\SYSTEM\svchost.dll -> Trojan.Small : Cleaned without backup
C:\WINDOWS\SYSTEM\svchost.exe -> Backdoor.Agent.iw : Cleaned without backup
C:\WINDOWS\SYSTEM32\25417140.exe -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\SYSTEM32\birdihuy32.dll -> TrojanProxy.Small.ct : Cleaned without backup
C:\WINDOWS\SYSTEM32\cai.dll -> Spyware.PurityScan : Cleaned without backup
C:\WINDOWS\SYSTEM32\countrydial.exe -> Dialer.Generic : Cleaned without backup
C:\WINDOWS\SYSTEM32\efsdfgxg.exe -> TrojanDownloader.Small.biq : Cleaned without backup
C:\WINDOWS\SYSTEM32\kbdhllfd.dll -> Worm.Prox.c : Cleaned without backup
C:\WINDOWS\SYSTEM32\kernels32.exe -> TrojanDownloader.Agent.ws : Cleaned without backup
C:\WINDOWS\SYSTEM32\latest.exe -> Trojan.Crypt.l : Cleaned without backup
C:\WINDOWS\SYSTEM32\maxd1.exe -> Dialer.Generic : Cleaned without backup
C:\WINDOWS\SYSTEM32\msudp4.sys -> TrojanSpy.Goldun.bf : Cleaned without backup
C:\WINDOWS\SYSTEM32\oins.exe -> Spyware.MediaTickets : Cleaned without backup
C:\WINDOWS\SYSTEM32\paytime.exe -> Trojan.Small.fx : Cleaned without backup
C:\WINDOWS\SYSTEM32\performent011.dll -> TrojanDownloader.Druser.h : Cleaned without backup
C:\WINDOWS\SYSTEM32\sysvcs.exe -> Trojan.Crypt.l : Cleaned without backup
C:\WINDOWS\SYSTEM32\tcpG4T.dll -> TrojanSpy.Goldun.bp : Cleaned without backup
C:\WINDOWS\SYSTEM32\vx.tll -> Adware.SpySheriff : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxgame1.exe -> TrojanDropper.Small.acg : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxgame2.exe -> Backdoor.Agent.iw : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxgame3.exe -> TrojanDownloader.Small.biq : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxgame4.exe -> Dialer.Generic : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxgame6.exe -> Trojan.LowZones.y : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxgamet1.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxgamet2.exe -> TrojanProxy.Lager.x : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxgamet3.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxh8jkdq2.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe -> TrojanDownloader.Small.awa : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe -> TrojanDownloader.Agent.wq : Cleaned without backup
C:\WINDOWS\SYSTEM32\vxh8jkdq7.exe -> TrojanDownloader.Agent.wq : Cleaned without backup
C:\WINDOWS\SYSTEM32\ztoolbar.bmp -> Spyware.TNS-Search : Cleaned without backup
C:\WINDOWS\SYSTEM32\~update.exe -> Trojan.Crypt.l : Cleaned without backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup


::Report End


--------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 8:38:08 PM, on 10/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\rdso\eetu.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\danny\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://red.clientapps.yahoo.com/customize/...ogin?game=Chess
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {09E9343D-9C2E-4804-885C-991B0E4EA0E8} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: (no name) - {3620897D-6FB9-493B-EE31-6B44F2B2ADE8} - C:\WINDOWS\System32\cai.dll (file missing)
O2 - BHO: C:\WINDOWS\q87406.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q87406.dll (file missing)
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\performent011.dll (file missing)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {B023AA40-60FB-4789-97D4-B24261245839} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {EFBA909D-3DBB-43AC-9473-583AF03732BA} - C:\WINDOWS\adsldpbc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt mt
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDCC6F0-CC57-41A2-8FCC-136A33BF2B67}: NameServer = 64.66.192.20 64.66.192.21
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:06:19 AM

Posted 22 October 2005 - 03:14 AM

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

===============

Go to Trend Housecall, and then:
  • Click Check my PC now
When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============
Click on Start, then Control Panel, and double-click on the Add/Remove Programs icon.

Uninstall the SpySheriff program and then exit Add/Remove Programs.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://red.clientapps.yahoo.com/customize/...ogin?game=Chess

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: C:\WINDOWS\adsldpbc.dll - {09E9343D-9C2E-4804-885C-991B0E4EA0E8} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: (no name) - {3620897D-6FB9-493B-EE31-6B44F2B2ADE8} - C:\WINDOWS\System32\cai.dll (file missing)
O2 - BHO: C:\WINDOWS\q87406.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q87406.dll (file missing)
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\performent011.dll (file missing)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {B023AA40-60FB-4789-97D4-B24261245839} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {EFBA909D-3DBB-43AC-9473-583AF03732BA} - C:\WINDOWS\adsldpbc.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\SpySheriff

files...

C:\WINDOWS\system32\st3.dll

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from Safe Mode.

==============
Download Smitfraud.reg, and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

==============
Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
==============

Post back a new log, and let me know how everything goes.

Edited by Mat2, 22 October 2005 - 04:22 AM.

Mat2



Posted Image

#7 Fernando

Fernando
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 22 October 2005 - 03:39 PM

i tried running the Trend Housecall but it would not let me update it. i don't have any other virus scanning products or a firewall so i don't know why it won't let me use the program. Once again, i could not delete

C:\WINDOWS\system32\st3.dll

But everything seems to be running fine.

here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:18 PM, on 10/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\danny\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Remote Login Services] winservices.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt mt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDCC6F0-CC57-41A2-8FCC-136A33BF2B67}: NameServer = 64.66.192.20 64.66.192.21
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:06:19 AM

Posted 22 October 2005 - 03:51 PM

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Program Files\rdso\eetu.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)

O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt mt

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\rdso

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from Safe mode

===============

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\st3.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

=============

Post back a new log, and let me know how everything goes.
Mat2



Posted Image

#9 Fernando

Fernando
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 22 October 2005 - 05:33 PM

that stubborn st3.dll will not be deleted! I follwed every step and it would not budge! Everything else was fine. I deleted all the files listed and i'll post another log.

Logfile of HijackThis v1.99.1
Scan saved at 5:32:46 PM, on 10/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\danny\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Remote Login Services] winservices.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDCC6F0-CC57-41A2-8FCC-136A33BF2B67}: NameServer = 64.66.192.20 64.66.192.21
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:06:19 AM

Posted 22 October 2005 - 05:57 PM

HI

The first job is

Download Stinger. To your desktop. Locate it and double click, then follow the on screen instructions. When done report back any thing it finds etc.

==================

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.
  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View Tab
  • Under the Hidden files and folders heading select Show hidden files and folders
  • Uncheck the Hide protected operating system files (recommended) option
  • Click Yes to confirm
  • Click OK
Next
=============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Remote Login Services] winservices.exe

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

c:\windows\system32\mdms.exe
C:\WINDOWS\cpu.dll
C:\WINDOWS\System32\sysvcs.exe
C:\WINDOWS\system32\st3.dll

Search for...

winservices.exe

...using "Start | Search...".

-

===============

Post back a new log, and let me know how everything goes.
Mat2



Posted Image

#11 Fernando

Fernando
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 22 October 2005 - 06:43 PM

once again, the st3.dll is unable to be deleted because it's either "write-protected or in use". Stinger found

W32/Sdbot.worm.gen! virus in C\WINDOWS\SYSTEM32\_delete_on_reboot_vxh8jkdg6.exe

it was deleted and that was the end of that. log is enclosed:Please Advise

Logfile of HijackThis v1.99.1
Scan saved at 4:42:52 PM, on 10/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\danny\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDCC6F0-CC57-41A2-8FCC-136A33BF2B67}: NameServer = 64.66.192.20 64.66.192.21
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#12 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:06:19 AM

Posted 23 October 2005 - 04:07 AM

Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
You need to run Ewido again as follows:

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

Next

Please download AimFix from Here ..and save it to the Desktop. Please run the removal tool

Locate the file, double click on the program. Then just follow the on screen instructions.

Please do the following: Download, install, update, configure, and run Ad-Aware SE Personal 1.06.


Download Ad-Aware SE Personal 1.06:


Download Ad-Aware SE Personal.

Save aawsepersonal.exe to a convenient location (eg. the Desktop).


Install Ad-Aware SE Personal
Double-click on aawsepersonal.exe to install the program.

Follow the default settings for installation.

After the program has finished installing, uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
Update Ad-Aware SE Personal Double-click the Ad-Aware SE Personal icon on your Desktop.

Click "Check for updates now" then click "Connect".

It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".

Configure Ad-Aware SE Personal
Click on the Gear button at the top of the window.

Click "General" on the left hand side to display the General Settings box.
Make sure the following items have a green check/tick next to them. If they do not, click once on the circle next to them to put a green checkmark: "Automatically save logfile"

"Automatically quarantine objects prior to removal"

"Safe Mode (always request confirmation)"

"Prompt to update outdated definitions" - change to 7 days from the default 14.
Click "Scanning" on the left hand side to display the Scan Settings box.

Make sure the following items have a green check/tick next to them. If they do not, click once on the circle next to them to put a green checkmark: "Scan within archives"

"Select drives & folders to scan" - select your hard drive(s).

"Scan active processes"

"Scan registry"

"Deep-scan registry"

"Scan my IE favorites for banned URLs"

"Scan my Hosts file"
Click "Advanced" on the left hand side to display the Advanced Settings box.

Make sure the following items have a green check/tick next to them. If they do not, click once on the circle next to them to put a green checkmark: "Move deleted files to Recycle Bin"

"Include additional object information"

"Include negligible objects information"

"Include environment information"
Click "Defaults" on the left hand side to display the Default Settings box.

Make sure the following items have your preferred settings in them.: "Default homepage"

"Default searchpage"
Click "Tweak" on the left hand side to display the Tweak Settings box.

Click the + (plus) sign next to the Log Files section. This will expand the section.

Make sure the following items have a green check/tick next to them. If they do not, click once on the circle next to them to put a green checkmark: "Include basic Ad-Aware settings in log file"

"Include additional Ad-Aware settings in log file"

"Include reference summary in log file"

"Include alternate data stream details in log file"
Click the + (plus) sign next to the Scanning Engine section. This will expand the section.

Make sure the following items have a green check/tick next to them. If they do not, click once on the circle next to them to put a green checkmark: "Unload recognized processes & modules during scan"

"Scan registry for all users instead of current user only"

"Obtain command line of scanned processes"
Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.

Make sure the following items have a green check/tick next to them. If they do not, click once on the circle next to them to put a green checkmark: "Always try to unload modules before deletion"

"During removal, unload Explorer and IE if necessary"

"Let Windows remove files in use at next reboot"

"Delete quarantined objects after restoring"
Once you are done with these settings, click "Proceed" to save them.

This will take you back to the main screen.

Run Ad-Aware SE Personal Click the "Start" button.

Uncheck the "Search for negligible risk entries" entry.

Choose the "Use custom scanning options" scan mode.

Click the "Next" button.

Ad-Aware will begin to scan for malware residing on your computer.

Allow the scan to finish.

Right-click on any entry in the list and click "Select All" to select the whole list.

Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
Once complete, you will need to do a new HJT log which Copy/paste back here with the Ewido log as well. Thanks
Mat2



Posted Image

#13 Fernando

Fernando
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 23 October 2005 - 10:51 PM

your instructions were followed and here's what i got:

Logfile of HijackThis v1.99.1
Scan saved at 8:47:10 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\danny\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.coolwebsearch.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDCC6F0-CC57-41A2-8FCC-136A33BF2B67}: NameServer = 64.66.192.20 64.66.192.21
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

AIMFIX LOG:

1.3.1022.1653


Setting security privileges for AIMfix...

First, closing any running copies of AOL Instant Messenger (aim.exe):

***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***

Registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" removed

***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
----------------------------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:27:18 PM, 10/23/2005
+ Report-Checksum: 7922F15D

+ Scan result:

[1980] C:\WINDOWS\q862953.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\Amber\Cookies\amber@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@com[2].txt -> Spyware.Cookie.Com : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\danny\Cookies\danny@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned without backup
C:\Documents and Settings\danny\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\adsldpbc[1].dll -> TrojanDownloader.Delf.lh : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065224.exe -> TrojanDownloader.Agent.ws : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065225.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065226.exe -> TrojanSpy.Small.dg : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065231.dll -> Spyware.SpywareNo : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065232.dll -> Adware.SpySheriff : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065234.exe -> Adware.SpySheriff : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065235.exe -> TrojanDownloader.Agent.wn : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065236.dll -> TrojanDownloader.Delf.lh : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065237.exe -> TrojanDropper.Agent.xr : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065238.exe -> TrojanDownloader.Agent.wn : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065239.exe -> Spyware.MediaTickets : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065240.dll -> Trojan.Small : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065241.exe -> Backdoor.Agent.iw : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065242.exe -> Spyware.Hijacker.Generic : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065243.dll -> TrojanProxy.Small.ct : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065244.dll -> Spyware.PurityScan : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065245.exe -> Dialer.Generic : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065246.exe -> TrojanDownloader.Small.biq : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065247.dll -> Worm.Prox.c : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065248.exe -> Trojan.Crypt.l : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065249.exe -> Dialer.Generic : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065250.exe -> Spyware.MediaTickets : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065251.exe -> Trojan.Small.fx : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065252.dll -> TrojanDownloader.Druser.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065253.exe -> Trojan.Crypt.l : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065254.exe -> TrojanDropper.Small.acg : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065255.exe -> Backdoor.Agent.iw : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065256.exe -> TrojanDownloader.Small.biq : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065257.exe -> Dialer.Generic : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065258.exe -> Trojan.LowZones.y : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065259.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065260.exe -> TrojanProxy.Lager.x : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065261.exe -> TrojanDownloader.Small.bpz : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065262.exe -> TrojanDownloader.Small.awa : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065263.exe -> Trojan.Crypt.l : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065264.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065306.dll -> TrojanDownloader.Delf.h : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065307.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0065308.dll -> TrojanSpy.Goldun.bp : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0066167.exe -> TrojanDownloader.Agent.wq : Cleaned without backup
C:\WINDOWS\adsldpbc.dll -> TrojanDownloader.Delf.lh : Cleaned without backup
C:\WINDOWS\q3164406.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\q3414062.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\q684625.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\q760140.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\q785500.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\q851187.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\q862953.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\q870781.dll -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\SYSTEM32\msudp4.sys -> TrojanSpy.Goldun.bf : Cleaned without backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__vxh8jkdq7.exe -> TrojanDownloader.Agent.wq : Cleaned without backup


::Report End


Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, October 23, 2005 8:35:27 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R71 19.10.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CommonName(TAC index:7):1 total references
Possible Browser Hijack attempt(TAC index:3):1 total references
Tracking Cookie(TAC index:3):32 total references
Windows(TAC index:3):1 total references
ZToolbar(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R47 24.05.2005
Internal build : 55
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 476246 Bytes
Total size : 1439523 Bytes
Signature data size : 1408291 Bytes
Reference data size : 30720 Bytes
Signatures total : 40174
CSI Fingerprints total : 886
CSI data size : 30371 Bytes
Target categories : 15
Target families : 679

10-23-2005 8:28:15 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R71 19.10.2005
Internal build : 83
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 536446 Bytes
Total size : 1605851 Bytes
Signature data size : 1572346 Bytes
Reference data size : 32993 Bytes
Signatures total : 44624
CSI Fingerprints total : 1056
CSI data size : 37714 Bytes
Target categories : 15
Target families : 763


10-23-2005 8:29:52 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:18 %
Total physical memory:129024 kb
Available physical memory:22636 kb
Total page file size:314500 kb
Available on page file:158944 kb
Total virtual memory:2097024 kb
Available virtual memory:2043244 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Move deleted files to Recycle Bin
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


10-23-2005 8:35:27 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 376
ThreadCreationTime : 10-24-2005 12:42:51 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 440
ThreadCreationTime : 10-24-2005 12:42:52 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 464
ThreadCreationTime : 10-24-2005 12:42:53 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 508
ThreadCreationTime : 10-24-2005 12:42:54 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 520
ThreadCreationTime : 10-24-2005 12:42:54 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 688
ThreadCreationTime : 10-24-2005 12:42:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 712
ThreadCreationTime : 10-24-2005 12:42:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 1020
ThreadCreationTime : 10-24-2005 12:42:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1060
ThreadCreationTime : 10-24-2005 12:42:57 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1184
ThreadCreationTime : 10-24-2005 12:42:58 AM
BasePriority : Normal
FileVersion : 5.1.2600.1699 (xpsp2.050610-1533)
ProductVersion : 5.1.2600.1699
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [acsd.exe]
ModuleName : C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
Command Line : C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
ProcessID : 1284
ThreadCreationTime : 10-24-2005 12:42:59 AM
BasePriority : Normal


#:12 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 1336
ThreadCreationTime : 10-24-2005 12:42:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [wanmpsvc.exe]
ModuleName : C:\WINDOWS\wanmpsvc.exe
Command Line : "C:\WINDOWS\wanmpsvc.exe"
ProcessID : 1364
ThreadCreationTime : 10-24-2005 12:42:59 AM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:14 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1980
ThreadCreationTime : 10-24-2005 12:43:04 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:15 [hkcmd.exe]
ModuleName : C:\WINDOWS\System32\hkcmd.exe
Command Line : "C:\WINDOWS\System32\hkcmd.exe"
ProcessID : 188
ThreadCreationTime : 10-24-2005 12:43:07 AM
BasePriority : Normal
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:16 [pcmservice.exe]
ModuleName : C:\Program Files\Dell\Media Experience\PCMService.exe
Command Line : "C:\Program Files\Dell\Media Experience\PCMService.exe"
ProcessID : 200
ThreadCreationTime : 10-24-2005 12:43:07 AM
BasePriority : Normal
FileVersion : 1.0.0826
ProductVersion : 1.0.0826
ProductName : PCM2Launcher Application
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
LegalCopyright : Copyright c 2003 CyberLink Corp.
OriginalFilename : PCM2Launcher.EXE

#:17 [dsagnt.exe]
ModuleName : C:\Program Files\Dell Support\DSAgnt.exe
Command Line : "C:\Program Files\Dell Support\DSAgnt.exe" /startup
ProcessID : 208
ThreadCreationTime : 10-24-2005 12:43:07 AM
BasePriority : Below Normal
FileVersion : 1, 1, 0, 73
ProductVersion : 1, 1, 0, 73
ProductName : Dell Support
CompanyName : Gteko Ltd.
FileDescription : Dell Support
InternalName : AUAgent
LegalCopyright : Copyright © 2000 - 2004 Gteko Ltd.
OriginalFilename : AUAgent.exe

#:18 [ymsgr_tray.exe]
ModuleName : C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
Command Line : "C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe" -ymsgr
ProcessID : 824
ThreadCreationTime : 10-24-2005 12:43:19 AM
BasePriority : Normal


#:19 [wuauclt.exe]
ModuleName : C:\WINDOWS\System32\wuauclt.exe
Command Line : "C:\WINDOWS\System32\wuauclt.exe"
ProcessID : 1896
ThreadCreationTime : 10-24-2005 12:45:15 AM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:20 [iexplore.exe]
ModuleName : C:\Program Files\Internet Explorer\iexplore.exe
Command Line : "C:\Program Files\Internet Explorer\iexplore.exe"
ProcessID : 228
ThreadCreationTime : 10-24-2005 12:46:40 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:21 [ewidoctrl.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 1872
ThreadCreationTime : 10-24-2005 1:08:39 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:22 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 296
ThreadCreationTime : 10-24-2005 1:27:37 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

ZToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{dcfab192-4a0e-4720-8e24-70d5f0cb8c39}

ZToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f4394f24-163d-430b-b5af-b68b56031b99}

CommonName Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-0000-0000-0000-000000000000}

Windows Object Recognized!
Type : RegData
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Possible unintended lockout from Task Manager (Task manager access disabled)
Rootkey : HKEY_USERS
Object : S-1-5-21-112871519-2841629762-1622924706-1010\software\microsoft\windows\currentversion\policies\system
Value : DisableTaskMgr
Data :

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : searchmeup.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : searchmeup.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.com
Trusted zone presumably compromised : searchmeup.com

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 5


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:danny@tribalfusion.com/
Expires : 12-31-2037 7:00:00 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:44
Value : Cookie:danny@advertising.com/
Expires : 10-21-2010 6:48:24 PM
LastSync : Hits:44
UseCount : 0
Hits : 44

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:61
Value : Cookie:danny@casalemedia.com/
Expires : 10-13-2006 2:47:42 PM
LastSync : Hits:61
UseCount : 0
Hits : 61

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:danny@realmedia.com/
Expires : 12-31-2020 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:danny@doubleclick.net/
Expires : 10-21-2008 3:40:44 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:danny@imrworldwide.com/cgi-bin
Expires : 10-20-2015 6:47:22 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@valueclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:danny@valueclick.com/
Expires : 10-16-2030 3:51:54 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@S111319[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:danny@statse.webtrendslive.com/S111319
Expires : 12-31-2020 3:00:00 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@adrevolver[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:danny@media.adrevolver.com/adrevolver/
Expires : 7-18-2008 6:13:00 AM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@revenue[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:danny@revenue.net/
Expires : 6-10-2022 12:05:42 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@adrevolver[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:danny@adrevolver.com/
Expires : 10-22-2006 9:55:20 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@servedby.advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:28
Value : Cookie:danny@servedby.advertising.com/
Expires : 11-21-2005 6:48:24 PM
LastSync : Hits:28
UseCount : 0
Hits : 28

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@landing.domainsponsor[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:danny@landing.domainsponsor.com/
Expires : 10-10-2007 9:56:54 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:danny@tradedoubler.com/
Expires : 10-17-2025 3:39:46 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@statse.webtrendslive[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:danny@statse.webtrendslive.com/
Expires : 10-20-2015 6:02:18 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:danny@atdmt.com/
Expires : 10-20-2010 7:00:00 PM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:26
Value : Cookie:danny@fastclick.net/
Expires : 10-22-2007 6:48:06 PM
LastSync : Hits:26
UseCount : 0
Hits : 26

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : danny@dcsgcxwngpifwznfzlmv83o6w_5w4m[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:danny@statse.webtrendslive.com/dcsgcxwngpifwznfzlmv83o6w_5w4m
Expires : 10-20-2015 6:02:18 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 23



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : amber@adrevolver[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Amber\Cookies\amber@adrevolver[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : amber@adrevolver[3].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Amber\Cookies\amber@adrevolver[3].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : amber@adserver[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Amber\Cookies\amber@adserver[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : amber@apmebf[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Amber\Cookies\amber@apmebf[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : amber@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Amber\Cookies\amber@realmedia[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : catalina@abcsearch[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Catalina\Cookies\catalina@abcsearch[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : catalina@adrevolver[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Catalina\Cookies\catalina@adrevolver[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : catalina@adrevolver[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Catalina\Cookies\catalina@adrevolver[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : catalina@apmebf[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Catalina\Cookies\catalina@apmebf[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : catalina@oinadserve[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Catalina\Cookies\catalina@oinadserve[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : catalina@qsrch[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Catalina\Cookies\catalina@qsrch[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : catalina@seeq[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Catalina\Cookies\catalina@seeq[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : catalina@tickle[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Catalina\Cookies\catalina@tickle[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : guest@zedo[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Guest\Cookies\guest@zedo[2].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 37


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
9 entries scanned.
New critical objects:0
Objects found so far: 37




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

ZToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\zsearchco

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 38

8:42:16 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:49.62
Objects scanned:110749
Objects identified:38
Objects ignored:0
New critical objects:38

#14 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:06:19 AM

Posted 24 October 2005 - 03:42 AM

Hi

Thanks for the logs. Here's the next stage.

==============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"

Let's continue on with the fix...

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O15 - Trusted Zone: *.coolwebsearch.com

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Post back a new log, and let me know how everything goes.
Mat2



Posted Image

#15 Fernando

Fernando
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 24 October 2005 - 03:45 PM

i ran CWSHREDDER and when i rebooted it as soon as i logged in it said that CESHREDDER was not respoding and whether i'd like to send the report. CW said it removed one trave of a virus

W32.Look2me

other than that i don't know what else it did

here's the HijackThis file:

Logfile of HijackThis v1.99.1
Scan saved at 1:45:41 PM, on 10/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\danny\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDCC6F0-CC57-41A2-8FCC-136A33BF2B67}: NameServer = 64.66.192.20 64.66.192.21
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\danny\Desktop\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users