Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Popups With Yyy65.html


  • Please log in to reply
12 replies to this topic

#1 bigt

bigt

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 15 November 2005 - 07:17 PM

Hi guys.

Ironically, i was trying to find an activation code to start up my norton antivirus and i was hit with this virus. It randomly opens internet browsers and links me to pages, many of which end in yyy65.html. It is now boggin down my virtual memory. The windows open randomly. Sometimes i will go 10 min without a pop up. Sometimes i will get 5 in 5 min. As well, the popups do not show up in my windows bar or in my task manager. I also dont think it is the L2M virus. I could be wrong but i can not find the process running in the task manager. I tried trend micro, search and destroy, mcafee sting, and still they are there. Please help. I am a web programming and can not lose my files to this stupid thing.

BC AdBot (Login to Remove)

 


#2 bigt

bigt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 15 November 2005 - 07:23 PM

Here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 4:21:11 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\cfam\Program\dfp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - Default URLSearchHook is missing
O1 - Hosts: .com
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PSwitch] C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128312412277
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\en44l1hq1.dll
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:18 PM

Posted 16 November 2005 - 11:46 AM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

David

#4 bigt

bigt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 17 November 2005 - 01:18 PM

ok. so i ran the spy sweeper and it found the look2me along with some others. here is the session log for the sweep and thanx for this help.

********
10:01 AM: | Start of Session, Thursday, November 17, 2005 |
10:01 AM: Spy Sweeper started
10:01 AM: Sweep initiated using definitions version 573
10:01 AM: Starting Memory Sweep
10:02 AM: Found Adware: look2me
10:02 AM: Detected running threat: C:\WINDOWS\system32\o084lalq1dqe.dll (ID = 163672)
10:03 AM: Detected running threat: C:\WINDOWS\system32\sbsgl.dll (ID = 163672)
10:05 AM: Memory Sweep Complete, Elapsed Time: 00:03:46
10:05 AM: Starting Registry Sweep
10:05 AM: Found Adware: internetoptimizer
10:05 AM: HKU\WRSS_Profile_S-1-5-21-57989841-688789844-854245398-1005\software\microsoft\windows\currentversion\run\ || internet optimizer (ID = 818746)
10:05 AM: Found Adware: starware toolbar
10:05 AM: HKU\S-1-5-21-57989841-688789844-854245398-1003\software\microsoft\internet explorer\explorer bars\{7bed0340-176b-44bc-915e-c21c1dd6f617}\ (1 subtraces) (ID = 142856)
10:05 AM: HKU\S-1-5-21-57989841-688789844-854245398-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {7bed0340-176b-44bc-915e-c21c1dd6f617} (ID = 142861)
10:06 AM: Registry Sweep Complete, Elapsed Time:00:00:31
10:06 AM: Starting Cookie Sweep
10:06 AM: Found Spy Cookie: sandboxer cookie
10:06 AM: mike@0[1].txt (ID = 3282)
10:06 AM: Found Spy Cookie: 888 cookie
10:06 AM: mike@888[2].txt (ID = 2019)
10:06 AM: Found Spy Cookie: yieldmanager cookie
10:06 AM: mike@ad.yieldmanager[1].txt (ID = 3751)
10:06 AM: mike@ad.yieldmanager[3].txt (ID = 3751)
10:06 AM: Found Spy Cookie: adtech cookie
10:06 AM: mike@adtech[2].txt (ID = 2155)
10:06 AM: Found Spy Cookie: advertising cookie
10:06 AM: mike@advertising[1].txt (ID = 2175)
10:06 AM: Found Spy Cookie: apmebf cookie
10:06 AM: mike@apmebf[2].txt (ID = 2229)
10:06 AM: Found Spy Cookie: atlas dmt cookie
10:06 AM: mike@atdmt[2].txt (ID = 2253)
10:06 AM: Found Spy Cookie: belnk cookie
10:06 AM: mike@ath.belnk[2].txt (ID = 2293)
10:06 AM: mike@belnk[2].txt (ID = 2292)
10:06 AM: Found Spy Cookie: sextracker cookie
10:06 AM: mike@counter14.sextracker[1].txt (ID = 3362)
10:06 AM: mike@counter3.sextracker[1].txt (ID = 3362)
10:06 AM: mike@counter8.sextracker[1].txt (ID = 3362)
10:06 AM: mike@counter9.sextracker[1].txt (ID = 3362)
10:06 AM: Found Spy Cookie: 360i cookie
10:06 AM: mike@ct.360i[1].txt (ID = 1962)
10:06 AM: Found Spy Cookie: clickzs cookie
10:06 AM: mike@cz4.clickzs[2].txt (ID = 2413)
10:06 AM: mike@dist.belnk[1].txt (ID = 2293)
10:06 AM: Found Spy Cookie: starware.com cookie
10:06 AM: mike@h.starware[1].txt (ID = 3442)
10:06 AM: Found Spy Cookie: screensavers.com cookie
10:06 AM: mike@i.screensavers[1].txt (ID = 3298)
10:06 AM: Found Spy Cookie: infospace cookie
10:06 AM: mike@infospace[2].txt (ID = 2865)
10:06 AM: Found Spy Cookie: touchclarity cookie
10:06 AM: mike@msn.touchclarity[1].txt (ID = 3566)
10:06 AM: Found Spy Cookie: mywebsearch cookie
10:06 AM: mike@mywebsearch[2].txt (ID = 3051)
10:06 AM: Found Spy Cookie: paypopup cookie
10:06 AM: mike@paypopup[2].txt (ID = 3119)
10:06 AM: Found Spy Cookie: overture cookie
10:06 AM: mike@perf.overture[1].txt (ID = 3106)
10:06 AM: Found Spy Cookie: qksrv cookie
10:06 AM: mike@qksrv[2].txt (ID = 3213)
10:06 AM: Found Spy Cookie: reunion cookie
10:06 AM: mike@reunion[1].txt (ID = 3255)
10:06 AM: Found Spy Cookie: rn11 cookie
10:06 AM: mike@rn11[2].txt (ID = 3261)
10:06 AM: Found Spy Cookie: servedby advertising cookie
10:06 AM: mike@servedby.advertising[1].txt (ID = 3335)
10:06 AM: mike@starware[2].txt (ID = 3441)
10:06 AM: Found Spy Cookie: onestat.com cookie
10:06 AM: mike@stat.onestat[2].txt (ID = 3098)
10:06 AM: mike@www.888[1].txt (ID = 2020)
10:06 AM: Found Spy Cookie: 2o7.net cookie
10:06 AM: lindsay@2o7[2].txt (ID = 1957)
10:06 AM: lindsay@ad.yieldmanager[1].txt (ID = 3751)
10:06 AM: Found Spy Cookie: adrevolver cookie
10:06 AM: lindsay@adrevolver[2].txt (ID = 2088)
10:06 AM: lindsay@adrevolver[3].txt (ID = 2088)
10:06 AM: Found Spy Cookie: addynamix cookie
10:06 AM: lindsay@ads.addynamix[2].txt (ID = 2062)
10:06 AM: Found Spy Cookie: ads.adsag cookie
10:06 AM: lindsay@ads.adsag[2].txt (ID = 2108)
10:06 AM: Found Spy Cookie: pointroll cookie
10:06 AM: lindsay@ads.pointroll[1].txt (ID = 3148)
10:06 AM: lindsay@atdmt[2].txt (ID = 2253)
10:06 AM: Found Spy Cookie: banner cookie
10:06 AM: lindsay@banner[1].txt (ID = 2276)
10:06 AM: Found Spy Cookie: burstnet cookie
10:06 AM: lindsay@burstnet[2].txt (ID = 2336)
10:06 AM: Found Spy Cookie: linksynergy cookie
10:06 AM: lindsay@linksynergy[1].txt (ID = 2926)
10:06 AM: lindsay@rn11[2].txt (ID = 3261)
10:06 AM: Found Spy Cookie: serving-sys cookie
10:06 AM: lindsay@serving-sys[2].txt (ID = 3343)
10:06 AM: Found Spy Cookie: servlet cookie
10:06 AM: lindsay@servlet[1].txt (ID = 3345)
10:06 AM: Found Spy Cookie: myaffiliateprogram.com cookie
10:06 AM: lindsay@www.myaffiliateprogram[1].txt (ID = 3032)
10:06 AM: Found Spy Cookie: zedo cookie
10:06 AM: lindsay@zedo[2].txt (ID = 3762)
10:06 AM: travis@0[2].txt (ID = 3282)
10:06 AM: travis@127.0.0[2].txt (ID = 3281)
10:06 AM: travis@888[2].txt (ID = 2019)
10:06 AM: Found Spy Cookie: adlegend cookie
10:06 AM: travis@adlegend[1].txt (ID = 2074)
10:06 AM: travis@adrevolver[1].txt (ID = 2088)
10:06 AM: Found Spy Cookie: alt cookie
10:06 AM: travis@alt[1].txt (ID = 2217)
10:06 AM: Found Spy Cookie: barelylegal cookie
10:06 AM: travis@c.fsx[2].txt (ID = 2286)
10:06 AM: travis@c4.zedo[1].txt (ID = 3763)
10:06 AM: Found Spy Cookie: commission junction cookie
10:06 AM: travis@cju.cj[1].txt (ID = 2454)
10:06 AM: Found Spy Cookie: clickbank cookie
10:06 AM: travis@clickbank[1].txt (ID = 2398)
10:06 AM: travis@ehealthcaresolutions.122.2o7[1].txt (ID = 1958)
10:06 AM: Found Spy Cookie: about cookie
10:06 AM: travis@gonewengland.about[1].txt (ID = 2038)
10:06 AM: travis@h.starware[2].txt (ID = 3442)
10:06 AM: Found Spy Cookie: hitstats.net cookie
10:06 AM: travis@hitstats[1].txt (ID = 2791)
10:06 AM: travis@i.screensavers[1].txt (ID = 3298)
10:06 AM: travis@microsofteup.112.2o7[2].txt (ID = 1958)
10:06 AM: travis@msn.touchclarity[1].txt (ID = 3566)
10:06 AM: travis@mywebsearch[1].txt (ID = 3051)
10:06 AM: Found Spy Cookie: passion cookie
10:06 AM: travis@passion[1].txt (ID = 3113)
10:06 AM: Found Spy Cookie: pokerroom cookie
10:06 AM: travis@pokerroom[2].txt (ID = 3149)
10:06 AM: travis@servlet[1].txt (ID = 3345)
10:06 AM: travis@starware[2].txt (ID = 3441)
10:06 AM: Found Spy Cookie: dealtime cookie
10:06 AM: travis@stat.dealtime[2].txt (ID = 2506)
10:06 AM: travis@stat.onestat[1].txt (ID = 3098)
10:06 AM: travis@www.888[1].txt (ID = 2020)
10:06 AM: travis@www.cj[1].txt (ID = 2454)
10:06 AM: travis@www.screensavers[1].txt (ID = 3298)
10:06 AM: travis@www.starware[1].txt (ID = 3442)
10:06 AM: Found Spy Cookie: xiti cookie
10:06 AM: travis@xiti[1].txt (ID = 3717)
10:06 AM: Found Spy Cookie: yadro cookie
10:06 AM: travis@yadro[1].txt (ID = 3743)
10:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:12
10:06 AM: Starting File Sweep
10:09 AM: saxcoins.dll (ID = 163672)
10:09 AM: Found Adware: apropos
10:09 AM: wingenerics.dll (ID = 50187)
10:10 AM: o084lalq1dqe.dll (ID = 163672)
10:10 AM: sbsgl.dll (ID = 163672)
10:11 AM: dicprop.dll (ID = 163672)
10:11 AM: File Sweep Complete, Elapsed Time: 00:05:30
10:11 AM: Full Sweep has completed. Elapsed time 00:10:18
10:11 AM: Traces Found: 88
10:12 AM: Removal process initiated
10:13 AM: Quarantining All Traces: look2me
10:13 AM: look2me is in use. It will be removed on reboot.
10:13 AM: o084lalq1dqe.dll is in use. It will be removed on reboot.
10:13 AM: sbsgl.dll is in use. It will be removed on reboot.
10:13 AM: C:\WINDOWS\system32\o084lalq1dqe.dll is in use. It will be removed on reboot.
10:13 AM: C:\WINDOWS\system32\sbsgl.dll is in use. It will be removed on reboot.
10:13 AM: Quarantining All Traces: apropos
10:13 AM: apropos is in use. It will be removed on reboot.
10:13 AM: wingenerics.dll is in use. It will be removed on reboot.
10:13 AM: Quarantining All Traces: internetoptimizer
10:13 AM: Quarantining All Traces: starware toolbar
10:13 AM: Quarantining All Traces: 2o7.net cookie
10:13 AM: Quarantining All Traces: 360i cookie
10:13 AM: Quarantining All Traces: 888 cookie
10:13 AM: Quarantining All Traces: about cookie
10:13 AM: Quarantining All Traces: addynamix cookie
10:13 AM: Quarantining All Traces: adlegend cookie
10:13 AM: Quarantining All Traces: adrevolver cookie
10:13 AM: Quarantining All Traces: ads.adsag cookie
10:13 AM: Quarantining All Traces: adtech cookie
10:13 AM: Quarantining All Traces: advertising cookie
10:13 AM: Quarantining All Traces: alt cookie
10:13 AM: Quarantining All Traces: apmebf cookie
10:13 AM: Quarantining All Traces: atlas dmt cookie
10:13 AM: Quarantining All Traces: banner cookie
10:13 AM: Quarantining All Traces: barelylegal cookie
10:13 AM: Quarantining All Traces: belnk cookie
10:13 AM: Quarantining All Traces: burstnet cookie
10:13 AM: Quarantining All Traces: clickbank cookie
10:13 AM: Quarantining All Traces: clickzs cookie
10:13 AM: Quarantining All Traces: commission junction cookie
10:13 AM: Quarantining All Traces: dealtime cookie
10:13 AM: Quarantining All Traces: hitstats.net cookie
10:13 AM: Quarantining All Traces: infospace cookie
10:13 AM: Quarantining All Traces: linksynergy cookie
10:13 AM: Quarantining All Traces: myaffiliateprogram.com cookie
10:13 AM: Quarantining All Traces: mywebsearch cookie
10:13 AM: Quarantining All Traces: onestat.com cookie
10:13 AM: Quarantining All Traces: overture cookie
10:13 AM: Quarantining All Traces: passion cookie
10:13 AM: Quarantining All Traces: paypopup cookie
10:13 AM: Quarantining All Traces: pointroll cookie
10:13 AM: Quarantining All Traces: pokerroom cookie
10:13 AM: Quarantining All Traces: qksrv cookie
10:13 AM: Quarantining All Traces: reunion cookie
10:13 AM: Quarantining All Traces: rn11 cookie
10:13 AM: Quarantining All Traces: sandboxer cookie
10:13 AM: Quarantining All Traces: screensavers.com cookie
10:13 AM: Quarantining All Traces: servedby advertising cookie
10:13 AM: Quarantining All Traces: serving-sys cookie
10:13 AM: Quarantining All Traces: servlet cookie
10:13 AM: Quarantining All Traces: sextracker cookie
10:13 AM: Quarantining All Traces: starware.com cookie
10:13 AM: Quarantining All Traces: touchclarity cookie
10:13 AM: Quarantining All Traces: xiti cookie
10:13 AM: Quarantining All Traces: yadro cookie
10:13 AM: Quarantining All Traces: yieldmanager cookie
10:13 AM: Quarantining All Traces: zedo cookie
10:14 AM: Removal process completed. Elapsed time 00:02:01
********
9:59 AM: | Start of Session, Thursday, November 17, 2005 |
9:59 AM: Spy Sweeper started
10:00 AM: Your spyware definitions have been updated.
10:01 AM: | End of Session, Thursday, November 17, 2005 |

#5 bigt

bigt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 17 November 2005 - 01:26 PM

here is my hjtl

Logfile of HijackThis v1.99.1
Scan saved at 10:23:06 AM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\CFusion\Bin\cfserver.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\WINDOWS\system32\wuauclt.exe
C:\CFusion\cfam\Program\wsm.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - Default URLSearchHook is missing
O1 - Hosts: .com
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PSwitch] C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128312412277
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:18 PM

Posted 17 November 2005 - 01:44 PM

Are the pop-ups gone?

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :thumbsup:
David

#7 bigt

bigt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 17 November 2005 - 01:46 PM

i will do so. And so far, so good. i was told i had a bad rbot virus. do you see anything?

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:18 PM

Posted 17 November 2005 - 01:54 PM

yeh something like that, i see a Win32.Sndc.A !

David

#9 bigt

bigt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 17 November 2005 - 02:30 PM

here is my hijack this log with the ewido scan report. I did not restart the computer after the scan though so let me know if i have to.

Logfile of HijackThis v1.99.1
Scan saved at 11:26:59 AM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\CFusion\Bin\cfserver.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\WINDOWS\system32\wuauclt.exe
C:\CFusion\cfam\Program\wsm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - Default URLSearchHook is missing
O1 - Hosts: .com
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128312412277
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


EWIDO


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:25:56 AM, 11/17/2005
+ Report-Checksum: A01BFB15

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-57989841-688789844-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-57989841-688789844-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-57989841-688789844-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-57989841-688789844-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKU\S-1-5-21-57989841-688789844-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-57989841-688789844-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-mybc.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@spylog[2].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wfk4codpkfq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wfkiqlajsfq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wfkiukdpoaq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wfkowkajsho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wfloqicjiho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wflowidpmho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wfmygldjebo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjk4cpajigo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjk4wlajwkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjkokjdjebp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjlosjdzskq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjmiujd5ako.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjmysgdjagq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjnycodpscp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjnysgd5ihq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@e-2dj6wjnyumdpilo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@ehg-corusentertainment.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@ehg-warnerbrothers.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@ehg-attworldnet.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@ehg-lionsgate.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@ehg-warnerbrothers.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wfkiclcjwcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wfkiegczoep.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wfkiqlajsfq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wfkyumdpsfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wfliekdpsdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wfliskc5aeo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wfliwic5edp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wgk4gmdjmco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wgkycodjoeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjk4okc5mho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkoeodjgdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkoshdjegq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkosiajmhp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkowgc5mdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkykldzabo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkykncjkdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkyolazaeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkyqjdzekq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjkysldzofq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjliandpsko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjlighajafo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjloqgcjgeq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjloslazalo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjlyenc5ckq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjmiujd5ako.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjmywjdjeco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjnyajdpkgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjnyclajoao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjnycldzgfp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjnycodpscp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjnyggdjsgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjnygjcpmcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjnyomazwbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@e-2dj6wjnyslc5aco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@ehg-commjun.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@ehg-idg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@ehg-lowermybills.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@ehg-neteller.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@ehg-sonycomputer.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@server.lon.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Travis\Cookies\travis@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Cookies\travis@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Travis\Local Settings\Temp\Temporary Internet Files\Content.IE5\9GQXPTUM\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\Uninstall My Web Search.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-57989841-688789844-854245398-1003\Dc96\backup.zip/rIssapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-57989841-688789844-854245398-1003\Dc96\backup.zip/sldpapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-57989841-688789844-854245398-1003\Dc96\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP22\A0003118.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP27\A0003170.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP27\A0003171.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP27\A0003172.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP27\A0003175.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP52\A0008014.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP54\A0008065.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP61\A0010148.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010455.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010458.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010459.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010460.DLL -> Spyware.FunWeb : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010461.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010462.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010463.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010464.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010465.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010466.SCR -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010467.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010468.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010469.EXE -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010470.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010471.DLL -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010474.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010475.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010479.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010484.exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010486.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010487.EXE -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP69\A0010488.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP70\A0010823.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP70\A0010833.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP70\A0010834.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP70\A0010916.exe -> TrojanDownloader.IstBar.ij : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP72\A0010946.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP72\A0010956.exe -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP73\A0010976.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP73\A0010977.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP73\A0010979.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP73\A0010988.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0D475982-2A48-456F-8EB1-2ABB5C587626}\RP73\A0010989.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\e4jm0e11eh.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\Temp\Cookies\travis@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\timessquare.exe -> Spyware.Hijacker.StartPage.aw : Cleaned with backup


::Report End

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:18 PM

Posted 17 November 2005 - 02:35 PM

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was
_____________________

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.
_____________________

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R3 - Default URLSearchHook is missing
O1 - Hosts: .com
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

_____________________

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\sndcfg16.exe
_____________________

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)
_____________________

Then go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
_____________________

Finally go to Control Panel > Internet Options. m
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________

Empty the Recycle Bin.
_____________________

Reboot to normal mode and post a new HJT log
David

#11 bigt

bigt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 17 November 2005 - 03:02 PM

here you go

Logfile of HijackThis v1.99.1
Scan saved at 12:00:24 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128312412277
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12 bigt

bigt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 17 November 2005 - 03:27 PM

how do i look :thumbsup:

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:18 PM

Posted 19 November 2005 - 07:45 AM

Clean Log!! Posted Image
How's everything running? :up: or :down: ?

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

How's everything running? :up: or :down: ?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users