Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijack Log - Ie Pop Ups Galore


  • Please log in to reply
3 replies to this topic

#1 Scott Tribbie

Scott Tribbie

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 04 March 2006 - 11:21 PM

Hi a new user with a bad case of the Pop-Ups. I've followed the instructions from bleepingcomputer.com/tutorials/tutoria42.html and now here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 10:12:36 PM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\SurfControl\CyberPatrol\CPHQ.exe
C:\PROGRA~1\AT&T\DSL\programs\dslpca.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\bleeping\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\w?crtupd.exe
C:\bleeping\NoAdware4\NoAdware4.exe
C:\Program Files\SurfControl\CyberPatrol\cpserver.exe
C:\PROGRA~1\CURITY~1\ping.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\SurfControl\CyberPatrol\cpACtrl.exe
C:\Program Files\SurfControl\CyberPatrol\cpCCtrl.exe
C:\Program Files\SurfControl\CyberPatrol\cpkbinst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Bleeping\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {AAC24881-D61E-F0C8-1E84-FC5A61481BE7} - C:\WINNT\system32\stjhhceg.dll
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {AAC24881-D61E-F0C8-1E84-FC5A61481BE7} - C:\WINNT\system32\stjhhceg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd4.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LonPS2] c:\winnt\system32\repcale.exe c:\winnt\system32\palsp.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\pkpprk.exe reg_run
O4 - HKLM\..\RunServices: [strtas] l074.exe
O4 - HKCU\..\Run: [Pfmluqu] C:\WINNT\system32\w?crtupd.exe
O4 - HKCU\..\Run: [nvrcba] C:\WINNT\system32\nvrcba.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\CURITY~1\ping.exe" -vt ndrv
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://www.cyberpatrol.com/cponline/setup.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9AFC046-0498-400C-B786-81FA073DF916}: NameServer = 64.105.199.76 64.105.159.251
O20 - Winlogon Notify: welcome - C:\WINNT\system32\gppul3791.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:17 PM

Posted 05 March 2006 - 07:07 AM

Hello Scott, and welcome to BleepingComputer,

We'll try to help you out, just give us some time to study your log.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:17 PM

Posted 06 March 2006 - 10:27 AM

Hello Scott,

Please follow these instructions very carefully.
It might be a good idea to print them or save them in a .txt file, because working in safe mode will leave you without internet connection.

1. Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

2. Please download, install, and update the NEW free version of Ewido anti-malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close ewido. DO NOT RUN IT YET.
3. Reconfigure Windows XP to show hidden files:Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the Hide protected operating system files (recommended) option.
Uncheck the Hide file extensions for known file types option.
Click Yes to confirm. Click OK.
[/list]4. Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

5. Run HijackThis and mark these entries, if still present:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {AAC24881-D61E-F0C8-1E84-FC5A61481BE7} - C:\WINNT\system32\stjhhceg.dll
O2 - BHO: (no name) - {AAC24881-D61E-F0C8-1E84-FC5A61481BE7} - C:\WINNT\system32\stjhhceg.dll
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd4.exe
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [LonPS2] c:\winnt\system32\repcale.exe c:\winnt\system32\palsp.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\pkpprk.exe reg_run
O4 - HKLM\..\RunServices: [strtas] l074.exe
O4 - HKCU\..\Run: [Pfmluqu] C:\WINNT\system32\w?crtupd.exe
O4 - HKCU\..\Run: [nvrcba] C:\WINNT\system32\nvrcba.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\CURITY~1\ping.exe" -vt ndrv
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - <a href="http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab" rel="nofollow" target="_blank">http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab</a>
O20 - Winlogon Notify: welcome - C:\WINNT\system32\gppul3791.dll

Close all open windows, EXCEPT HijackThis and click Fix Checked. Close HijackThis.

6. Open Windows Explorer, find and delete, if still present these files/folders (in bold):C:\windows\winsysupd4.exe
C:\WINDOWS\myupdates.exe
c:\winnt\system32\repcale.exe
c:\winnt\system32\palsp.exe
C:\WINNT\system32\nvrcba.exe
C:\WINNT\system32\gppul3791.dll
7. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
    • NOTE: During some scans with ewido it is finding cases of false positives.
      # This means you will need to step through the process of cleaning files one-by-one.
      # If ewido detects a file you KNOW to be legitimate, select none as the action.
      # DO NOT select "Perform action on all infections"
      # If you are unsure of any entry found select none for now.
  • When the scan finishes, click on "Save Report". This will create a text file. Save it to your Desktop.
8. Restart your computer in Normal Mode.

9. Please post the contents of C:\Look2Me-Destroyer.txt and a new HijackThis log, as well as the log from ewido.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 Scott Tribbie

Scott Tribbie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 11 March 2006 - 11:14 AM

BMThor,

Thanks for reponding. The Look2Me-Destroyer took care of my Pop Up problem.

I was originally looking in the wrong folder for the Look2Me-Destroyer.txt file so I reran it and attached the output below.


Look2Me-Destroyer V1.0.7

Scanning for infected files.....
Scan started at 3/11/2006 10:48:48 AM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded



Here's my latest HJM log:

Logfile of HijackThis v1.99.1
Scan saved at 10:41:56 AM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Bleeping\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\SurfControl\CyberPatrol\CPHQ.exe
C:\PROGRA~1\AT&T\DSL\programs\dslpca.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\bleeping\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SurfControl\CyberPatrol\cpserver.exe
C:\OPLIMIT\ocrawr32.exe
C:\bleeping\NoAdware4\NoAdware4.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\SurfControl\CyberPatrol\cpACtrl.exe
C:\Program Files\SurfControl\CyberPatrol\cpCCtrl.exe
C:\Program Files\SurfControl\CyberPatrol\cpkbinst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Bleeping\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\pkpprk.exe reg_run
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://www.cyberpatrol.com/cponline/setup.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9AFC046-0498-400C-B786-81FA073DF916}: NameServer = 64.105.199.76 64.105.159.251
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Bleeping\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe




Here's the Ewido log. I kind of hap-hazardly removed some files since the warning window didn't list the file names - In hind sight I shouldn't have removed any of them I guess.






---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:29:56 AM, 3/11/2006
+ Report-Checksum: 5B259D3B

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Ignored
HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\!update.exe -> Downloader.PurityScan.bw : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@2o7[1].txt -> TrackingCookie.2o7 : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@adrevolver[3].txt -> TrackingCookie.Adrevolver : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@as-us.falkag[1].txt -> TrackingCookie.Falkag : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@bluestreak[1].txt -> TrackingCookie.Bluestreak : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@burstnet[1].txt -> TrackingCookie.Burstnet : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@casalemedia[1].txt -> TrackingCookie.Casalemedia : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@tacoda[1].txt -> TrackingCookie.Tacoda : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@trafficmp[1].txt -> TrackingCookie.Trafficmp : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@z1.adserver[1].txt -> TrackingCookie.Adserver : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\Cookies\scott tribbie@zedo[1].txt -> TrackingCookie.Zedo : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\E7DA8.tmp/titno.exe -> Adware.MDH : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\f167453.exe -> Downloader.Qoologic.at : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\i27.tmp -> Adware.SurfSide : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\iAD.tmp -> Adware.SurfSide : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\temp.fr154F\Programs\webhdll.dll -> Adware.WebHancer : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temp\temp.fr154F\Programs\whagent.exe -> Adware.WebHancer : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temporary Internet Files\Content.IE5\23OBCTGV\2[1].bin/whAgent.exe -> Adware.WebHancer : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temporary Internet Files\Content.IE5\23OBCTGV\NNSCAA638[1].EXE -> Adware.NewDotNet : Ignored
C:\Documents and Settings\Scott Tribbie\Local Settings\Temporary Internet Files\Content.IE5\B8J6HJK8\!update-3325[1].0000 -> Downloader.PurityScan.br : Ignored
C:\drsmartloadb.exe -> Downloader.Adload.l : Ignored
C:\NNSCAA638.EXE -> Adware.NewDotNet : Ignored
C:\Program Files\InetGet2\MTE3MTk6ODoxNg.exe -> Downloader.Small.buy : Ignored
C:\Program Files\InetGet2\stub_109_4_0_4_0.exe -> Downloader.TSUpdate.o : Ignored
C:\Program Files\Jalmp\uninstall.exe -> Adware.Suggestor : Ignored
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored
C:\Program Files\Yazzle Sudoku\Sudoku.exe -> Dropper.VB.kk : Ignored
C:\Program Files\ѕеcurity\ping.exe -> Downloader.PurityScan.bw : Ignored
C:\WINNT\Access.exe -> Dialer.EgroupDial : Ignored
C:\WINNT\mtuninst.exe -> Adware.MediaTickets : Ignored
C:\WINNT\NDNuninstall6_38.exe -> Adware.NewDotNet : Ignored
C:\WINNT\NDNuninstall7_14.exe -> Adware.NewDotNet : Ignored
C:\WINNT\NDNuninstall7_22.exe -> Adware.NewDotNet : Ignored
C:\WINNT\system32\cl4ss.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Ignored
C:\WINNT\system32\drsmartload348a.exe -> Downloader.Adload.o : Ignored
C:\WINNT\system32\drsmartload348a.exe.dat -> Downloader.Adload.o : Ignored
C:\WINNT\system32\oins.exe -> Adware.MediaTickets : Ignored
C:\WINNT\system32\stjhhceg.dll -> Adware.PurityScan : Ignored
C:\WINNT\system32\wgse.exe -> Trojan.Runner.h : Ignored
C:\WINNT\system32\whCC-CLICK.exe/whAgent.exe -> Adware.WebHancer : Ignored
C:\WINNT\system32\wvwwb.dat -> Downloader.Qoologic.at : Ignored
C:\WINNT\Temp\Cookies\kathy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored
C:\WINNT\Temp\Cookies\kathy@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@adrevolver[1].txt -> TrackingCookie.Adrevolver : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@bluestreak[2].txt -> TrackingCookie.Bluestreak : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@burstnet[2].txt -> TrackingCookie.Burstnet : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@c.enhance[1].txt -> TrackingCookie.Enhance : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@casalemedia[1].txt -> TrackingCookie.Casalemedia : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@data1.perf.overture[1].txt -> TrackingCookie.Overture : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@data2.perf.overture[1].txt -> TrackingCookie.Overture : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@e-2dj6wjlikodzwcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@edge.ru4[2].txt -> TrackingCookie.Ru4 : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@h.starware[2].txt -> TrackingCookie.Starware : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@hypertracker[1].txt -> TrackingCookie.Hypertracker : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@ilead.itrack[1].txt -> TrackingCookie.Itrack : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@kmpads[2].txt -> TrackingCookie.Kmpads : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@media.top-banners[1].txt -> TrackingCookie.Top-banners : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@paypopup[1].txt -> TrackingCookie.Paypopup : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@questionmarket[1].txt -> TrackingCookie.Questionmarket : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@revenue[2].txt -> TrackingCookie.Revenue : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@tacoda[2].txt -> TrackingCookie.Tacoda : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@trafficmp[1].txt -> TrackingCookie.Trafficmp : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@trafficmp[3].txt -> TrackingCookie.Trafficmp : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@z1.adserver[1].txt -> TrackingCookie.Adserver : Ignored
C:\WINNT\Temp\Cookies\scott tribbie@zedo[1].txt -> TrackingCookie.Zedo : Ignored
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\WDERWTMJ\mediaview[1].cab/elite.ocx -> Adware.MediaMotor : Ignored
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-4210259494-1926893867-3958095517-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-4210259494-1926893867-3958095517-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
C:\Bleeping\NoAdware4\noadwareutils.dll -> Adware.WebRebates : Cleaned with backup
C:\Documents and Settings\Kathy\Local Settings\Temp\Temporary Internet Files\Content.IE5\M41UJ6RS\MTE3MTk6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\Kathy\Local Settings\Temp\Temporary Internet Files\Content.IE5\M41UJ6RS\stub_109_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@buildabear.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@ehg-attworldnet.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Cookies\scott tribbie@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Local Settings\Temporary Internet Files\Content.IE5\B8J6HJK8\ibycgt[1].cab/titno.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\Scott Tribbie\Local Settings\Temporary Internet Files\Content.IE5\I9ANUJ4P\installerus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINNT\system32\zwqw -> Worm.Randon.am : Cleaned with backup


::Report End



Let me know if you think I should do anything else.

Thanks a bunch!

Scott Tribbie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users