Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With W32.spybot.worm


  • This topic is locked This topic is locked
8 replies to this topic

#1 Johnny305SR

Johnny305SR

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Miami, FL
  • Local time:04:21 AM

Posted 19 January 2006 - 06:33 PM

I scanned my system with all the tools listed in the Preparation topic. Had the tools clean/delete everything they found as malicious programs. Yet I am still getting a ridiculous amount of popups even when I am not using the computer (for example this morning I turned on my monitor to find 24 IE browser windows opened from popups). Please help.



Logfile of HijackThis v1.99.1
Scan saved at 6:27:02 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\system32\geedd.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\q4rq0e95eh.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 21 January 2006 - 01:55 PM

Hello and welcome to the forum. You have some nasty infections, it's going to take some work to clean them up. If you still need help, do this:

1) TeaTimer may block tools we much use, turn it off until we are done:
http://russelltexas.com/malware/teatimer.htm

Thanks to Atribune and any others who helped with this fix

2) Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
(wait until the end to post the logs)

3) We need to use the FREE TRIAL VERSION of SpySweeper and it should be at the end of this page:
http://www.webroot.com/consumer/products/s...er/latestv.html
Download Spy Sweeper 4.5 - Free Trial then follow these directions.
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, and then please copy and paste the SpySweeper log into this thread.

4) Let's kill the bad service now: Local Security Authority Subsystem Service (lsass) X lsass.exe Added by the W32/Tilebot-AK or W32.Spybot.ABDO WORM! Note: This is not the legitimate Windows process lsass.exe (Which is always found in the System32 folder). This worm file is found in the Windows or Winnt folder.

Disable the offending Service
Click Start < Run and type services.msc.
Scroll down to Local Security Authority Subsystem Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type lsass and press OK.
OK any prompts, close HijackThis, and restart your computer.

Post the vundofix.txt, the SpySweeper results and a new HJT log. We will have more to do.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 Johnny305SR

Johnny305SR
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Miami, FL
  • Local time:04:21 AM

Posted 21 January 2006 - 07:26 PM

vundofix.txt

VundoFix V4.0

Listing files found while scanning....

C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2

C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\geedd.dll
Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

SpySweeper Results

********
6:52 PM: | Start of Session, Saturday, January 21, 2006 |
6:52 PM: Spy Sweeper started
6:52 PM: Sweep initiated using definitions version 604
6:52 PM: Starting Memory Sweep
6:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:55 PM: Memory Sweep Complete, Elapsed Time: 00:02:38
6:55 PM: Starting Registry Sweep
6:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:55 PM: Found System Monitor: sc-keylog
6:55 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\explorer\ (6 subtraces) (ID = 140468)
6:55 PM: Found Adware: virtumonde
6:55 PM: HKCR\atldistrib.atldistrib\ (5 subtraces) (ID = 1030533)
6:55 PM: HKCR\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030535)
6:55 PM: HKCR\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030537)
6:55 PM: HKCR\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030539)
6:55 PM: HKCR\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030541)
6:55 PM: HKLM\software\classes\atldistrib.atldistrib\ (5 subtraces) (ID = 1030666)
6:55 PM: HKLM\software\classes\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030668)
6:55 PM: HKLM\software\classes\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030670)
6:55 PM: HKLM\software\classes\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030672)
6:55 PM: HKLM\software\classes\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030674)
6:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:55 PM: Registry Sweep Complete, Elapsed Time:00:00:25
6:55 PM: Starting Cookie Sweep
6:56 PM: Found Spy Cookie: 3 cookie
6:56 PM: jehnny rivera@3[1].txt (ID = 1959)
6:56 PM: Found Spy Cookie: 64.62.232 cookie
6:56 PM: jehnny rivera@64.62.232[1].txt (ID = 1987)
6:56 PM: jehnny rivera@64.62.232[2].txt (ID = 1987)
6:56 PM: jehnny rivera@64.62.232[3].txt (ID = 1987)
6:56 PM: Found Spy Cookie: 735 cookie
6:56 PM: jehnny rivera@735[1].txt (ID = 2009)
6:56 PM: Found Spy Cookie: 888 cookie
6:56 PM: jehnny rivera@888[1].txt (ID = 2019)
6:56 PM: jehnny rivera@888[2].txt (ID = 2019)
6:56 PM: Found Spy Cookie: websponsors cookie
6:56 PM: jehnny rivera@a.websponsors[2].txt (ID = 3665)
6:56 PM: Found Spy Cookie: about cookie
6:56 PM: jehnny rivera@about[1].txt (ID = 2037)
6:56 PM: Found Spy Cookie: reunion cookie
6:56 PM: jehnny rivera@ad.reunion[1].txt (ID = 3256)
6:56 PM: Found Spy Cookie: yieldmanager cookie
6:56 PM: jehnny rivera@ad.yieldmanager[2].txt (ID = 3751)
6:56 PM: Found Spy Cookie: adecn cookie
6:56 PM: jehnny rivera@adecn[1].txt (ID = 2063)
6:56 PM: Found Spy Cookie: adknowledge cookie
6:56 PM: jehnny rivera@adknowledge[2].txt (ID = 2072)
6:56 PM: Found Spy Cookie: adlegend cookie
6:56 PM: jehnny rivera@adlegend[1].txt (ID = 2074)
6:56 PM: Found Spy Cookie: hbmediapro cookie
6:56 PM: jehnny rivera@adopt.hbmediapro[2].txt (ID = 2768)
6:56 PM: Found Spy Cookie: precisead cookie
6:56 PM: jehnny rivera@adopt.precisead[1].txt (ID = 3182)
6:56 PM: Found Spy Cookie: specificclick.com cookie
6:56 PM: jehnny rivera@adopt.specificclick[1].txt (ID = 3400)
6:56 PM: Found Spy Cookie: adprofile cookie
6:56 PM: jehnny rivera@adprofile[2].txt (ID = 2084)
6:56 PM: Found Spy Cookie: cc214142 cookie
6:56 PM: jehnny rivera@ads.cc214142[2].txt (ID = 2367)
6:56 PM: Found Spy Cookie: atwola cookie
6:56 PM: jehnny rivera@ar.atwola[2].txt (ID = 2256)
6:56 PM: Found Spy Cookie: askmen cookie
6:56 PM: jehnny rivera@askmen[1].txt (ID = 2247)
6:56 PM: Found Spy Cookie: ask cookie
6:56 PM: jehnny rivera@ask[2].txt (ID = 2245)
6:56 PM: Found Spy Cookie: belnk cookie
6:56 PM: jehnny rivera@ath.belnk[1].txt (ID = 2293)
6:56 PM: jehnny rivera@atwola[2].txt (ID = 2255)
6:56 PM: Found Spy Cookie: azjmp cookie
6:56 PM: jehnny rivera@azjmp[1].txt (ID = 2270)
6:56 PM: Found Spy Cookie: banner cookie
6:56 PM: jehnny rivera@banner[2].txt (ID = 2276)
6:56 PM: jehnny rivera@belnk[1].txt (ID = 2292)
6:56 PM: Found Spy Cookie: bizrate cookie
6:56 PM: jehnny rivera@bizrate[2].txt (ID = 2308)
6:56 PM: Found Spy Cookie: bluestreak cookie
6:56 PM: jehnny rivera@bluestreak[1].txt (ID = 2314)
6:56 PM: Found Spy Cookie: burstnet cookie
6:56 PM: jehnny rivera@burstnet[1].txt (ID = 2336)
6:56 PM: Found Spy Cookie: carsbelowinvoice cookie
6:56 PM: jehnny rivera@carsbelowinvoice[1].txt (ID = 2352)
6:56 PM: Found Spy Cookie: cassava cookie
6:56 PM: jehnny rivera@cassava[1].txt (ID = 2362)
6:56 PM: Found Spy Cookie: clickbank cookie
6:56 PM: jehnny rivera@clickbank[1].txt (ID = 2398)
6:56 PM: Found Spy Cookie: tickle cookie
6:56 PM: jehnny rivera@cookie.tickle[1].txt (ID = 3530)
6:56 PM: Found Spy Cookie: overture cookie
6:56 PM: jehnny rivera@data2.perf.overture[1].txt (ID = 3106)
6:56 PM: Found Spy Cookie: did-it cookie
6:56 PM: jehnny rivera@did-it[2].txt (ID = 2523)
6:56 PM: jehnny rivera@dist.belnk[2].txt (ID = 2293)
6:56 PM: Found Spy Cookie: empnads cookie
6:56 PM: jehnny rivera@empnads[2].txt (ID = 5012)
6:56 PM: Found Spy Cookie: go.com cookie
6:56 PM: jehnny rivera@espn.go[1].txt (ID = 2729)
6:56 PM: Found Spy Cookie: exitexchange cookie
6:56 PM: jehnny rivera@exitexchange[2].txt (ID = 2633)
6:56 PM: Found Spy Cookie: experclick cookie
6:56 PM: jehnny rivera@experclick[2].txt (ID = 2639)
6:56 PM: Found Spy Cookie: go2net.com cookie
6:56 PM: jehnny rivera@go2net[1].txt (ID = 2730)
6:56 PM: jehnny rivera@go[2].txt (ID = 2728)
6:56 PM: Found Spy Cookie: clickandtrack cookie
6:56 PM: jehnny rivera@hits.clickandtrack[2].txt (ID = 2397)
6:56 PM: Found Spy Cookie: hypertracker.com cookie
6:56 PM: jehnny rivera@hypertracker[2].txt (ID = 2817)
6:56 PM: Found Spy Cookie: screensavers.com cookie
6:56 PM: jehnny rivera@i.screensavers[2].txt (ID = 3298)
6:56 PM: Found Spy Cookie: sb01 cookie
6:56 PM: jehnny rivera@jp1.sb01[2].txt (ID = 3288)
6:56 PM: Found Spy Cookie: kmpads cookie
6:56 PM: jehnny rivera@kmpads[1].txt (ID = 2909)
6:56 PM: Found Spy Cookie: kount cookie
6:56 PM: jehnny rivera@kount[1].txt (ID = 2911)
6:56 PM: jehnny rivera@local.ask[1].txt (ID = 2246)
6:56 PM: Found Spy Cookie: metareward.com cookie
6:56 PM: jehnny rivera@metareward[2].txt (ID = 2990)
6:56 PM: Found Spy Cookie: nextag cookie
6:56 PM: jehnny rivera@nextag[2].txt (ID = 5014)
6:56 PM: Found Spy Cookie: offeroptimizer cookie
6:56 PM: jehnny rivera@offeroptimizer[2].txt (ID = 3087)
6:56 PM: Found Spy Cookie: 2o7.net cookie
6:56 PM: jehnny rivera@partygaming.122.2o7[1].txt (ID = 1958)
6:56 PM: Found Spy Cookie: partypoker cookie
6:56 PM: jehnny rivera@partypoker[1].txt (ID = 3111)
6:56 PM: Found Spy Cookie: paypopup cookie
6:56 PM: jehnny rivera@paypopup[1].txt (ID = 3119)
6:56 PM: jehnny rivera@perf.overture[1].txt (ID = 3106)
6:56 PM: jehnny rivera@popunder.paypopup[1].txt (ID = 3120)
6:56 PM: jehnny rivera@quotations.about[1].txt (ID = 2038)
6:56 PM: Found Spy Cookie: realmedia cookie
6:56 PM: jehnny rivera@realmedia[1].txt (ID = 3235)
6:56 PM: jehnny rivera@reunion[2].txt (ID = 3255)
6:56 PM: Found Spy Cookie: rightmedia cookie
6:56 PM: jehnny rivera@rightmedia[2].txt (ID = 3259)
6:56 PM: Found Spy Cookie: rn11 cookie
6:56 PM: jehnny rivera@rn11[2].txt (ID = 3261)
6:56 PM: Found Spy Cookie: adjuggler cookie
6:56 PM: jehnny rivera@rotator.adjuggler[1].txt (ID = 2071)
6:56 PM: jehnny rivera@rsi.espn.go[1].txt (ID = 2729)
6:56 PM: Found Spy Cookie: search123 cookie
6:56 PM: jehnny rivera@search123[1].txt (ID = 3305)
6:56 PM: jehnny rivera@sports.espn.go[1].txt (ID = 2729)
6:56 PM: Found Spy Cookie: starware.com cookie
6:56 PM: jehnny rivera@starware[2].txt (ID = 3441)
6:56 PM: Found Spy Cookie: dealtime cookie
6:56 PM: jehnny rivera@stat.dealtime[2].txt (ID = 2506)
6:56 PM: Found Spy Cookie: statcounter cookie
6:56 PM: jehnny rivera@statcounter[2].txt (ID = 3447)
6:56 PM: Found Spy Cookie: reliablestats cookie
6:56 PM: jehnny rivera@stats1.reliablestats[2].txt (ID = 3254)
6:56 PM: Found Spy Cookie: clicktracks cookie
6:56 PM: jehnny rivera@stats2.clicktracks[1].txt (ID = 2407)
6:56 PM: Found Spy Cookie: toplist cookie
6:56 PM: jehnny rivera@toplist[1].txt (ID = 3557)
6:56 PM: Found Spy Cookie: touchclarity cookie
6:56 PM: jehnny rivera@toyota.touchclarity[1].txt (ID = 3566)
6:56 PM: Found Spy Cookie: tracking cookie
6:56 PM: jehnny rivera@tracking[1].txt (ID = 3571)
6:56 PM: jehnny rivera@webdesign.about[2].txt (ID = 2038)
6:56 PM: Found Spy Cookie: burstbeacon cookie
6:56 PM: jehnny rivera@www.burstbeacon[1].txt (ID = 2335)
6:56 PM: Found Spy Cookie: myaffiliateprogram.com cookie
6:56 PM: jehnny rivera@www.myaffiliateprogram[1].txt (ID = 3032)
6:56 PM: jehnny rivera@www.screensavers[1].txt (ID = 3298)
6:56 PM: Found Spy Cookie: upspiral cookie
6:56 PM: jehnny rivera@www.upspiral[1].txt (ID = 3615)
6:56 PM: Found Spy Cookie: winantiviruspro cookie
6:56 PM: jehnny rivera@www.winantiviruspro[1].txt (ID = 3690)
6:56 PM: Found Spy Cookie: xiti cookie
6:56 PM: jehnny rivera@xiti[1].txt (ID = 3717)
6:56 PM: jehnny rivera@yieldmanager[1].txt (ID = 3749)
6:56 PM: Found Spy Cookie: adserver cookie
6:56 PM: jehnny rivera@z1.adserver[1].txt (ID = 2142)
6:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:12
6:56 PM: Starting File Sweep
6:56 PM: Found Adware: surfsidekick
6:56 PM: c:\program files\common files\vcclient (7 subtraces) (ID = -2147461290)
6:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:58 PM: Found Adware: look2me
6:58 PM: m8po0i73e8.dll (ID = 159)
6:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:00 PM: sjrobj.dll (ID = 159)
7:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:05 PM: j4n2le5o1h.dll (ID = 159)
7:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:06 PM: n62u0gf9e62.dll (ID = 159)
7:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:07 PM: vcmain.exe (ID = 212830)
7:07 PM: HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run || CU2 (ID = 0)
7:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:12 PM: jt2u07f9e.dll (ID = 159)
7:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:13 PM: Warning: Invalid Stream
7:13 PM: File Sweep Complete, Elapsed Time: 00:17:10
7:13 PM: Full Sweep has completed. Elapsed time 00:20:32
7:13 PM: Traces Found: 138
7:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: Removal process initiated
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: Quarantining All Traces: look2me
7:18 PM: look2me is in use. It will be removed on reboot.
7:18 PM: sjrobj.dll is in use. It will be removed on reboot.
7:18 PM: j4n2le5o1h.dll is in use. It will be removed on reboot.
7:18 PM: n62u0gf9e62.dll is in use. It will be removed on reboot.
7:18 PM: Quarantining All Traces: sc-keylog
7:18 PM: Quarantining All Traces: virtumonde
7:18 PM: Quarantining All Traces: surfsidekick
7:18 PM: Quarantining All Traces: 2o7.net cookie
7:18 PM: Quarantining All Traces: 3 cookie
7:18 PM: Quarantining All Traces: 64.62.232 cookie
7:18 PM: Quarantining All Traces: 735 cookie
7:18 PM: Quarantining All Traces: 888 cookie
7:18 PM: Quarantining All Traces: about cookie
7:18 PM: Quarantining All Traces: adecn cookie
7:18 PM: Quarantining All Traces: adjuggler cookie
7:18 PM: Quarantining All Traces: adknowledge cookie
7:18 PM: Quarantining All Traces: adlegend cookie
7:18 PM: Quarantining All Traces: adprofile cookie
7:18 PM: Quarantining All Traces: adserver cookie
7:18 PM: Quarantining All Traces: ask cookie
7:18 PM: Quarantining All Traces: askmen cookie
7:18 PM: Quarantining All Traces: atwola cookie
7:18 PM: Quarantining All Traces: azjmp cookie
7:18 PM: Quarantining All Traces: banner cookie
7:18 PM: Quarantining All Traces: belnk cookie
7:18 PM: Quarantining All Traces: bizrate cookie
7:18 PM: Quarantining All Traces: bluestreak cookie
7:18 PM: Quarantining All Traces: burstbeacon cookie
7:18 PM: Quarantining All Traces: burstnet cookie
7:18 PM: Quarantining All Traces: carsbelowinvoice cookie
7:18 PM: Quarantining All Traces: cassava cookie
7:18 PM: Quarantining All Traces: cc214142 cookie
7:18 PM: Quarantining All Traces: clickandtrack cookie
7:18 PM: Quarantining All Traces: clickbank cookie
7:18 PM: Quarantining All Traces: clicktracks cookie
7:18 PM: Quarantining All Traces: dealtime cookie
7:18 PM: Quarantining All Traces: did-it cookie
7:18 PM: Quarantining All Traces: empnads cookie
7:18 PM: Quarantining All Traces: exitexchange cookie
7:18 PM: Quarantining All Traces: experclick cookie
7:18 PM: Quarantining All Traces: go.com cookie
7:18 PM: Quarantining All Traces: go2net.com cookie
7:18 PM: Quarantining All Traces: hbmediapro cookie
7:18 PM: Quarantining All Traces: hypertracker.com cookie
7:18 PM: Quarantining All Traces: kmpads cookie
7:18 PM: Quarantining All Traces: kount cookie
7:18 PM: Quarantining All Traces: metareward.com cookie
7:18 PM: Quarantining All Traces: myaffiliateprogram.com cookie
7:18 PM: Quarantining All Traces: nextag cookie
7:18 PM: Quarantining All Traces: offeroptimizer cookie
7:18 PM: Quarantining All Traces: overture cookie
7:18 PM: Quarantining All Traces: partypoker cookie
7:18 PM: Quarantining All Traces: paypopup cookie
7:18 PM: Quarantining All Traces: precisead cookie
7:18 PM: Quarantining All Traces: realmedia cookie
7:18 PM: Quarantining All Traces: reliablestats cookie
7:18 PM: Quarantining All Traces: reunion cookie
7:18 PM: Quarantining All Traces: rightmedia cookie
7:18 PM: Quarantining All Traces: rn11 cookie
7:18 PM: Quarantining All Traces: sb01 cookie
7:18 PM: Quarantining All Traces: screensavers.com cookie
7:18 PM: Quarantining All Traces: search123 cookie
7:18 PM: Quarantining All Traces: specificclick.com cookie
7:18 PM: Quarantining All Traces: starware.com cookie
7:18 PM: Quarantining All Traces: statcounter cookie
7:18 PM: Quarantining All Traces: tickle cookie
7:18 PM: Quarantining All Traces: toplist cookie
7:18 PM: Quarantining All Traces: touchclarity cookie
7:18 PM: Quarantining All Traces: tracking cookie
7:18 PM: Quarantining All Traces: upspiral cookie
7:18 PM: Quarantining All Traces: websponsors cookie
7:18 PM: Quarantining All Traces: winantiviruspro cookie
7:18 PM: Quarantining All Traces: xiti cookie
7:18 PM: Quarantining All Traces: yieldmanager cookie
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:19 PM: Removal process completed. Elapsed time 00:01:10
7:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
********
6:51 PM: | Start of Session, Saturday, January 21, 2006 |
6:51 PM: Spy Sweeper started
6:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:51 PM: Your spyware definitions have been updated.
6:52 PM: | End of Session, Saturday, January 21, 2006 |

HiJack This Log

Logfile of HijackThis v1.99.1
Scan saved at 6:48:17 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\system32\geedd.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\n62u0gf9e62.dll
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 23 January 2006 - 09:56 AM

I am sorry, it appears that notifications failed and I was not told when you posted. The scans show the items were removed, but the HJT log still shows them. Perhaps there was no reboot after the removal. Please post a fresh HJT log so I can see where we are at. Tell me what the computer is doing now, how is it running. Even the bad service is showing in this log:
Logfile of HijackThis v1.99.1 Scan saved at 6:48:17 PM, on 1/21/2006 Were you able to complete the instructions for removing it? Did you make sure to turn off TeaTimer during the fix? Thanks...Phil

Edited by pskelley, 23 January 2006 - 09:58 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 Johnny305SR

Johnny305SR
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Miami, FL
  • Local time:04:21 AM

Posted 24 January 2006 - 05:44 PM

Yes, I followed all your instructions to the 't' (especially turning off TeaTimer during the procedures). I rebooted again and performed another scan. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 5:41:47 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\system32\geedd.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\j4n2le5o1h.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 25 January 2006 - 02:16 PM

Ok and thanks. Something is causing the Vundo fix not to kill the Vundo infection :thumbsup: I would like you to try another fix. Before you start the actual fix, download the tool then go offline and turn off TeaTimer and SpySweeper. Make sure you are signed in as the administrator, then try this:

1) Please start by downloading VirtumundoBegone http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\system32\geedd.dll
(Vundo, hope it's gone)
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\j4n2le5o1h.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\geedd.dll >>> file (if there)

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the VBG.TXT and a new HJT log so I can see if it worked.

If you received any messages during the earlier Vundo fix that might help me understand why it did not work, please post them for me.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 Johnny305SR

Johnny305SR
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Miami, FL
  • Local time:04:21 AM

Posted 25 January 2006 - 06:07 PM

*******VBG Log*******

[01/25/2006, 17:47:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jehnny Rivera\Desktop\VirtumundoBeGone.exe" )
[01/25/2006, 17:48:05] - Detected System Information:
[01/25/2006, 17:48:05] - Windows Version: 5.1.2600, Service Pack 2
[01/25/2006, 17:48:05] - Current Username: Jehnny Rivera (Admin)
[01/25/2006, 17:48:05] - Windows is in NORMAL mode.
[01/25/2006, 17:48:05] - Searching for Browser Helper Objects:
[01/25/2006, 17:48:05] - BHO 1: {83A5F7B7-DC75-44CE-9195-264F41709FA9} (ATLDistrib Object)
[01/25/2006, 17:48:05] - ALERT: Found ATLDistrib Object!
[01/25/2006, 17:48:05] - Finished Searching Browser Helper Objects
[01/25/2006, 17:48:05] - *** Detected ATLDistrib Object
[01/25/2006, 17:48:05] - Trying to remove ATLDistrib Object...
[01/25/2006, 17:48:06] - Terminating Process: IEXPLORE.EXE
[01/25/2006, 17:48:06] - Terminating Process: RUNDLL32.EXE
[01/25/2006, 17:48:06] - Disabling Automatic Shell Restart
[01/25/2006, 17:48:07] - Terminating Process: EXPLORER.EXE
[01/25/2006, 17:48:07] - Suspending the NT Session Manager System Service
[01/25/2006, 17:48:07] - Terminating Windows NT Logon/Logoff Manager
[01/25/2006, 17:48:07] - Re-enabling Automatic Shell Restart
[01/25/2006, 17:48:07] - File to disable: C:\WINDOWS\system32\geedd.dll
[01/25/2006, 17:48:07] - Renaming C:\WINDOWS\system32\geedd.dll -> C:\WINDOWS\system32\geedd.dll.vir
[01/25/2006, 17:48:07] - ! File rename was unsucessful.
[01/25/2006, 17:48:07] - Attempting to Deny Access to C:\WINDOWS\system32\geedd.dll
[01/25/2006, 17:48:07] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[01/25/2006, 17:48:07] - processed file: C:\WINDOWS\system32\geedd.dll

[01/25/2006, 17:48:07] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[01/25/2006, 17:48:07] - Removing HKLM\...\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:07] - Removing HKCR\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:08] - Adding Kill Bit for ActiveX for GUID: {83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:08] - Deleting ATLEvents/MSEvents Registry entries
[01/25/2006, 17:48:08] - Removing HKLM\...\Winlogon\Notify\geedd
[01/25/2006, 17:48:09] - Searching for Browser Helper Objects:
[01/25/2006, 17:48:09] - BHO 1: {83A5F7B7-DC75-44CE-9195-264F41709FA9} (ATLDistrib Object)
[01/25/2006, 17:48:09] - ALERT: Found ATLDistrib Object!
[01/25/2006, 17:48:09] - Finished Searching Browser Helper Objects
[01/25/2006, 17:48:09] - *** Detected ATLDistrib Object
[01/25/2006, 17:48:10] - Trying to remove ATLDistrib Object...
[01/25/2006, 17:48:11] - Terminating Process: IEXPLORE.EXE
[01/25/2006, 17:48:11] - Terminating Process: RUNDLL32.EXE
[01/25/2006, 17:48:11] - Disabling Automatic Shell Restart
[01/25/2006, 17:48:12] - Terminating Process: EXPLORER.EXE
[01/25/2006, 17:48:13] - Suspending the NT Session Manager System Service
[01/25/2006, 17:48:13] - Terminating Windows NT Logon/Logoff Manager
[01/25/2006, 17:48:14] - Re-enabling Automatic Shell Restart
[01/25/2006, 17:48:14] - File to disable: C:\WINDOWS\system32\geedd.dll
[01/25/2006, 17:48:14] - Renaming C:\WINDOWS\system32\geedd.dll -> C:\WINDOWS\system32\geedd.dll.vir
[01/25/2006, 17:48:15] - ! File rename was unsucessful.
[01/25/2006, 17:48:15] - Attempting to Deny Access to C:\WINDOWS\system32\geedd.dll
[01/25/2006, 17:48:15] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[01/25/2006, 17:48:15] - processed file: C:\WINDOWS\system32\geedd.dll

[01/25/2006, 17:48:15] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[01/25/2006, 17:48:15] - Removing HKLM\...\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:15] - Removing HKCR\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:17] - Adding Kill Bit for ActiveX for GUID: {83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:17] - Deleting ATLEvents/MSEvents Registry entries
[01/25/2006, 17:48:17] - Removing HKLM\...\Winlogon\Notify\geedd
[01/25/2006, 17:48:17] - Searching for Browser Helper Objects:
[01/25/2006, 17:48:18] - BHO 1: {83A5F7B7-DC75-44CE-9195-264F41709FA9} (ATLDistrib Object)
[01/25/2006, 17:48:18] - ALERT: Found ATLDistrib Object!
[01/25/2006, 17:48:18] - Finished Searching Browser Helper Objects
[01/25/2006, 17:48:18] - *** Detected ATLDistrib Object
[01/25/2006, 17:48:18] - Trying to remove ATLDistrib Object...
[01/25/2006, 17:48:19] - Terminating Process: IEXPLORE.EXE
[01/25/2006, 17:48:19] - Terminating Process: RUNDLL32.EXE
[01/25/2006, 17:48:19] - Disabling Automatic Shell Restart
[01/25/2006, 17:48:19] - Terminating Process: EXPLORER.EXE
[01/25/2006, 17:48:19] - Suspending the NT Session Manager System Service
[01/25/2006, 17:48:20] - Terminating Windows NT Logon/Logoff Manager
[01/25/2006, 17:48:20] - Re-enabling Automatic Shell Restart
[01/25/2006, 17:48:20] - File to disable: C:\WINDOWS\system32\geedd.dll
[01/25/2006, 17:48:20] - Renaming C:\WINDOWS\system32\geedd.dll -> C:\WINDOWS\system32\geedd.dll.vir
[01/25/2006, 17:48:20] - ! File rename was unsucessful.
[01/25/2006, 17:48:20] - Attempting to Deny Access to C:\WINDOWS\system32\geedd.dll
[01/25/2006, 17:48:20] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[01/25/2006, 17:48:20] - processed file: C:\WINDOWS\system32\geedd.dll

[01/25/2006, 17:48:20] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[01/25/2006, 17:48:20] - Removing HKLM\...\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:20] - Removing HKCR\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:21] - Adding Kill Bit for ActiveX for GUID: {83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:21] - Deleting ATLEvents/MSEvents Registry entries
[01/25/2006, 17:48:21] - Removing HKLM\...\Winlogon\Notify\geedd
[01/25/2006, 17:48:22] - Searching for Browser Helper Objects:
[01/25/2006, 17:48:23] - BHO 1: {83A5F7B7-DC75-44CE-9195-264F41709FA9} (ATLDistrib Object)
[01/25/2006, 17:48:23] - ALERT: Found ATLDistrib Object!
[01/25/2006, 17:48:23] - Finished Searching Browser Helper Objects
[01/25/2006, 17:48:23] - *** Detected ATLDistrib Object
[01/25/2006, 17:48:23] - Trying to remove ATLDistrib Object...
[01/25/2006, 17:48:24] - Terminating Process: IEXPLORE.EXE
[01/25/2006, 17:48:24] - Terminating Process: RUNDLL32.EXE
[01/25/2006, 17:48:25] - Disabling Automatic Shell Restart
[01/25/2006, 17:48:25] - Terminating Process: EXPLORER.EXE
[01/25/2006, 17:48:25] - Suspending the NT Session Manager System Service
[01/25/2006, 17:48:25] - Terminating Windows NT Logon/Logoff Manager
[01/25/2006, 17:48:25] - Re-enabling Automatic Shell Restart
[01/25/2006, 17:48:25] - File to disable: C:\WINDOWS\system32\geedd.dll
[01/25/2006, 17:48:25] - Renaming C:\WINDOWS\system32\geedd.dll -> C:\WINDOWS\system32\geedd.dll.vir
[01/25/2006, 17:48:25] - ! File rename was unsucessful.
[01/25/2006, 17:48:25] - Attempting to Deny Access to C:\WINDOWS\system32\geedd.dll
[01/25/2006, 17:48:26] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[01/25/2006, 17:48:26] - processed file: C:\WINDOWS\system32\geedd.dll

[01/25/2006, 17:48:26] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[01/25/2006, 17:48:26] - Removing HKLM\...\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:26] - Removing HKCR\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:26] - Adding Kill Bit for ActiveX for GUID: {83A5F7B7-DC75-44CE-9195-264F41709FA9}
[01/25/2006, 17:48:26] - Deleting ATLEvents/MSEvents Registry entries
[01/25/2006, 17:48:26] - Removing HKLM\...\Winlogon\Notify\geedd
[01/25/2006, 17:48:26] - Searching for Browser Helper Objects:
[01/25/2006, 17:48:26] - Finished Searching Browser Helper Objects
[01/25/2006, 17:48:26] - Finishing up...
[01/25/2006, 17:48:26] - A restart is needed.
[01/25/2006, 17:48:33] - Attempting to Restart via STOP error (Blue Screen!)

[01/25/2006, 17:51:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jehnny Rivera\Desktop\VirtumundoBeGone.exe" )
[01/25/2006, 17:51:56] - User choose NOT to continue. Exiting...


*******HJT LOG*******

Logfile of HijackThis v1.99.1
Scan saved at 6:03:37 PM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Oh and I did not receive any messages while running VundoFix

#8 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 25 January 2006 - 10:44 PM

OK, and thanks for all of your efforts :thumbsup: For some reason this was a very bad infection of Vundo. I rarely have to move the the second fix and the fix rarely has the problems removing it like it did here, but it is gone. You also had another infection called Look2me, and they both are gone, so you should be running a lot better. Lets chat a bit about the programs. SpySweeper gives you some protection for two weeks but it uses some resources. Unless you should purchase the product, you should uninstall it as it gives no benefits after the trial is over.

Because this stuff gets backed up in System Restore and can reinfect you if you need SR for a valid reason, use the information in the following link to get clean System Restore files.
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Safe surfing...Phil
BleepingComputer
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 Johnny305SR

Johnny305SR
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Miami, FL
  • Local time:04:21 AM

Posted 26 January 2006 - 06:36 PM

Thank you very much! My sister really appreciates your help (it was her computer you helped me clean)!

I is amazing that your group offers this help online for free! I will definately donate to the site and recommend you guys to everyone I know!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users