Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Winfixer Victim


  • This topic is locked This topic is locked
12 replies to this topic

#1 Liz P.

Liz P.

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 10 March 2006 - 07:01 PM

Hi all -- another first-time user here who's been zapped by WinFixer. I've run McAffee spyware, Windows Defender and a couple of specialized tools recommended by another newsgroup (VirtumundoBeGone and WinFixerFix) . . . but no luck. Still getting the Blackworm, system error and WinAntivirus pop-ups . . . also a pop up for pokerplayer (don't know if that's related).

Here's my HijackThis logfile. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 6:48:36 PM, on 3/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: WTLHelper Object - {6D33B121-5C4C-4450-9D1F-7B67085CC199} - C:\WINDOWS\system32\nnnno.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8A2-850A-101B-AFC0-4210102A8DA7} (Microsoft TreeView Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/shared/C...22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124281343434
O20 - Winlogon Notify: khhfd - khhfd.dll (file missing)
O20 - Winlogon Notify: nnnno - C:\WINDOWS\system32\nnnno.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:02 PM

Posted 10 March 2006 - 08:12 PM

Hi Liz P,

Welcome to BC. :thumbsup:
Please download vundofix.exe to your desktop. Double-click VundoFix.exe to run it.
o Click the Scan for Vundo button.
o Once it's done scanning, click the Remove Vundo button.
o You will receive a prompt asking if you want to remove the files, click YES
o Once you click yes, your desktop will go blank as it starts removing Vundo.
o When completed, it will prompt that it will shutdown your computer, click OK.
o Turn your computer back on.

=========================================

Download WebRoot SpySweeper from here (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
  • After Spysweeper has finished and removed any items found, reboot your computer right away to ensure the infection is fully removed
=========================================

After the reboot post a fresh hijackthis log along with the contents of C:\vundofix.txt and spysweeper log.

#3 Liz P.

Liz P.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 10 March 2006 - 09:56 PM

Hi amatuer,

I've done the vundofix.exe, but am having trouble finding the free trial link on the SpySweeper website. Sorry if I'm being dense. I clicked on the "Free download" link, but it takes me to a page where I can buy SpySweeper. The "download" link on this page kicks me back to the original page.

Maybe they changed the page format??

L.

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:02 PM

Posted 10 March 2006 - 10:06 PM

Hi Liz P,

I just tried the link. It's taking me to the free download page. Softpedia Mirror (US)

#5 Liz P.

Liz P.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 10 March 2006 - 10:12 PM

dowloading from the softpedia mirror link . . . it's downloading ssfsetup1_0.exe . . . estimated time is over 2 hours (i'm on dsl)

is this right?

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:02 PM

Posted 10 March 2006 - 10:16 PM

file name is correct. It shouldn't take that long.

#7 Liz P.

Liz P.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 11 March 2006 - 12:27 AM

OK. So far so good. here are all the log files:

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:24 AM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8A2-850A-101B-AFC0-4210102A8DA7} (Microsoft TreeView Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/shared/C...22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124281343434
O20 - Winlogon Notify: khhfd - khhfd.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

VundoFix:

VundoFix V4.2.30
Scan started at 9:44:04 PM 3/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\nnnno.dll
C:\WINDOWS\system32\onnnn.ini
C:\WINDOWS\system32\onnnn.bak1
C:\WINDOWS\system32\onnnn.bak2

C:\WINDOWS\SYSTEM32\onnnn.bak1
C:\WINDOWS\SYSTEM32\onnnn.bak2
C:\WINDOWS\SYSTEM32\onnnn.ini
C:\WINDOWS\SYSTEM32\nnnno.dll
Attempting to delete C:\WINDOWS\system32\nnnno.dll
C:\WINDOWS\system32\nnnno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\onnnn.ini
C:\WINDOWS\system32\onnnn.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\onnnn.bak1
C:\WINDOWS\system32\onnnn.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\onnnn.bak2
C:\WINDOWS\system32\onnnn.bak2 Has been deleted!

Performing Repairs to the registry.
Done!


********
11:30 PM: | Start of Session, Friday, March 10, 2006 |
11:30 PM: Spy Sweeper started
11:30 PM: Sweep initiated using definitions version 630
11:30 PM: Starting Memory Sweep
11:34 PM: Memory Sweep Complete, Elapsed Time: 00:03:48
11:34 PM: Starting Registry Sweep
11:34 PM: Registry Sweep Complete, Elapsed Time:00:00:13
11:34 PM: Starting Cookie Sweep
11:34 PM: Found Spy Cookie: 2o7.net cookie
11:34 PM: ramsey@2o7[2].txt (ID = 1957)
11:34 PM: Found Spy Cookie: about cookie
11:34 PM: ramsey@about[2].txt (ID = 2037)
11:34 PM: Found Spy Cookie: yieldmanager cookie
11:34 PM: ramsey@ad.yieldmanager[1].txt (ID = 3751)
11:34 PM: Found Spy Cookie: specificclick.com cookie
11:34 PM: ramsey@adopt.specificclick[2].txt (ID = 3400)
11:34 PM: Found Spy Cookie: adrevolver cookie
11:34 PM: ramsey@adrevolver[1].txt (ID = 2088)
11:34 PM: ramsey@adrevolver[3].txt (ID = 2088)
11:34 PM: Found Spy Cookie: addynamix cookie
11:34 PM: ramsey@ads.addynamix[2].txt (ID = 2062)
11:34 PM: Found Spy Cookie: belointeractive cookie
11:34 PM: ramsey@ads.belointeractive[2].txt (ID = 2295)
11:34 PM: Found Spy Cookie: pointroll cookie
11:34 PM: ramsey@ads.pointroll[2].txt (ID = 3148)
11:34 PM: Found Spy Cookie: advertising cookie
11:34 PM: ramsey@advertising[2].txt (ID = 2175)
11:34 PM: Found Spy Cookie: adviva cookie
11:34 PM: ramsey@adviva[1].txt (ID = 2177)
11:34 PM: Found Spy Cookie: ask cookie
11:34 PM: ramsey@ask[1].txt (ID = 2245)
11:34 PM: Found Spy Cookie: atlas dmt cookie
11:34 PM: ramsey@atdmt[1].txt (ID = 2253)
11:34 PM: Found Spy Cookie: atwola cookie
11:34 PM: ramsey@atwola[2].txt (ID = 2255)
11:34 PM: Found Spy Cookie: belnk cookie
11:34 PM: ramsey@belnk[1].txt (ID = 2292)
11:34 PM: ramsey@belointeractive[1].txt (ID = 2294)
11:34 PM: Found Spy Cookie: bluestreak cookie
11:34 PM: ramsey@bluestreak[1].txt (ID = 2314)
11:34 PM: Found Spy Cookie: bs.serving-sys cookie
11:34 PM: ramsey@bs.serving-sys[1].txt (ID = 2330)
11:34 PM: Found Spy Cookie: burstnet cookie
11:34 PM: ramsey@burstnet[1].txt (ID = 2336)
11:34 PM: Found Spy Cookie: zedo cookie
11:34 PM: ramsey@c1.zedo[1].txt (ID = 3763)
11:34 PM: Found Spy Cookie: casalemedia cookie
11:34 PM: ramsey@casalemedia[1].txt (ID = 2354)
11:34 PM: Found Spy Cookie: centrport net cookie
11:34 PM: ramsey@centrport[2].txt (ID = 2374)
11:34 PM: Found Spy Cookie: hitslink cookie
11:34 PM: ramsey@counter.hitslink[1].txt (ID = 2790)
11:34 PM: Found Spy Cookie: 360i cookie
11:34 PM: ramsey@ct.360i[2].txt (ID = 1962)
11:34 PM: Found Spy Cookie: coremetrics cookie
11:34 PM: ramsey@data.coremetrics[1].txt (ID = 2472)
11:34 PM: Found Spy Cookie: overture cookie
11:34 PM: ramsey@data2.perf.overture[1].txt (ID = 3106)
11:34 PM: ramsey@dist.belnk[2].txt (ID = 2293)
11:34 PM: Found Spy Cookie: ru4 cookie
11:34 PM: ramsey@edge.ru4[2].txt (ID = 3269)
11:34 PM: Found Spy Cookie: go.com cookie
11:34 PM: ramsey@espn.go[2].txt (ID = 2729)
11:34 PM: Found Spy Cookie: fastclick cookie
11:34 PM: ramsey@fastclick[1].txt (ID = 2651)
11:34 PM: ramsey@go[1].txt (ID = 2728)
11:34 PM: ramsey@homepage.belointeractive[1].txt (ID = 2295)
11:34 PM: Found Spy Cookie: homestore cookie
11:34 PM: ramsey@homestore[1].txt (ID = 2793)
11:34 PM: Found Spy Cookie: maxserving cookie
11:34 PM: ramsey@maxserving[2].txt (ID = 2966)
11:34 PM: ramsey@media.fastclick[2].txt (ID = 2652)
11:34 PM: Found Spy Cookie: mediaplex cookie
11:34 PM: ramsey@mediaplex[1].txt (ID = 6442)
11:34 PM: ramsey@msnportal.112.2o7[1].txt (ID = 1958)
11:34 PM: ramsey@nascar.about[1].txt (ID = 2038)
11:34 PM: Found Spy Cookie: nextag cookie
11:34 PM: ramsey@nextag[2].txt (ID = 5014)
11:34 PM: ramsey@overture[2].txt (ID = 3105)
11:34 PM: ramsey@perf.overture[1].txt (ID = 3106)
11:34 PM: Found Spy Cookie: questionmarket cookie
11:34 PM: ramsey@questionmarket[1].txt (ID = 3217)
11:34 PM: Found Spy Cookie: realmedia cookie
11:34 PM: ramsey@realmedia[1].txt (ID = 3235)
11:34 PM: Found Spy Cookie: rightmedia cookie
11:34 PM: ramsey@rightmedia[2].txt (ID = 3259)
11:34 PM: ramsey@rsi.espn.go[1].txt (ID = 2729)
11:34 PM: Found Spy Cookie: servedby advertising cookie
11:34 PM: ramsey@servedby.advertising[1].txt (ID = 3335)
11:34 PM: Found Spy Cookie: serving-sys cookie
11:34 PM: ramsey@serving-sys[1].txt (ID = 3343)
11:34 PM: ramsey@sports.espn.go[1].txt (ID = 2729)
11:34 PM: Found Spy Cookie: statcounter cookie
11:34 PM: ramsey@statcounter[2].txt (ID = 3447)
11:34 PM: Found Spy Cookie: webtrendslive cookie
11:34 PM: ramsey@statse.webtrendslive[2].txt (ID = 3667)
11:34 PM: Found Spy Cookie: tacoda cookie
11:34 PM: ramsey@tacoda[1].txt (ID = 6444)
11:34 PM: Found Spy Cookie: trafficmp cookie
11:34 PM: ramsey@trafficmp[1].txt (ID = 3581)
11:34 PM: Found Spy Cookie: trb.com cookie
11:34 PM: ramsey@trb[2].txt (ID = 3587)
11:34 PM: Found Spy Cookie: tribalfusion cookie
11:34 PM: ramsey@tribalfusion[2].txt (ID = 3589)
11:34 PM: Found Spy Cookie: tripod cookie
11:34 PM: ramsey@tripod[1].txt (ID = 3591)
11:34 PM: ramsey@twci.coremetrics[1].txt (ID = 2472)
11:34 PM: Found Spy Cookie: burstbeacon cookie
11:34 PM: ramsey@www.burstbeacon[1].txt (ID = 2335)
11:34 PM: Found Spy Cookie: adserver cookie
11:34 PM: ramsey@z1.adserver[2].txt (ID = 2142)
11:34 PM: ramsey@zedo[2].txt (ID = 3762)
11:34 PM: Found Spy Cookie: 247realmedia cookie
11:34 PM: liz@247realmedia[1].txt (ID = 1953)
11:34 PM: liz@2o7[2].txt (ID = 1957)
11:34 PM: liz@abclocal.go[1].txt (ID = 2729)
11:34 PM: liz@abcnews.go[2].txt (ID = 2729)
11:34 PM: liz@about[1].txt (ID = 2037)
11:34 PM: liz@ad.yieldmanager[1].txt (ID = 3751)
11:34 PM: Found Spy Cookie: adecn cookie
11:34 PM: liz@adecn[1].txt (ID = 2063)
11:34 PM: Found Spy Cookie: adknowledge cookie
11:34 PM: liz@adknowledge[1].txt (ID = 2072)
11:34 PM: liz@adopt.specificclick[2].txt (ID = 3400)
11:34 PM: liz@adrevolver[1].txt (ID = 2088)
11:34 PM: liz@adrevolver[2].txt (ID = 2088)
11:34 PM: liz@ads.addynamix[2].txt (ID = 2062)
11:34 PM: Found Spy Cookie: ads.adsag cookie
11:34 PM: liz@ads.adsag[1].txt (ID = 2108)
11:34 PM: liz@ads.belointeractive[2].txt (ID = 2295)
11:34 PM: liz@ads.pointroll[1].txt (ID = 3148)
11:34 PM: liz@advertising[2].txt (ID = 2175)
11:34 PM: liz@anat.tacoda[1].txt (ID = 6445)
11:34 PM: Found Spy Cookie: apmebf cookie
11:34 PM: liz@apmebf[2].txt (ID = 2229)
11:34 PM: Found Spy Cookie: falkag cookie
11:34 PM: liz@as-us.falkag[2].txt (ID = 2650)
11:34 PM: liz@as1.falkag[2].txt (ID = 2650)
11:34 PM: liz@ask[2].txt (ID = 2245)
11:34 PM: liz@atdmt[2].txt (ID = 2253)
11:34 PM: liz@ath.belnk[1].txt (ID = 2293)
11:34 PM: liz@atwola[1].txt (ID = 2255)
11:34 PM: Found Spy Cookie: azjmp cookie
11:34 PM: liz@azjmp[2].txt (ID = 2270)
11:34 PM: Found Spy Cookie: bannerspace cookie
11:34 PM: liz@bannerspace[2].txt (ID = 2284)
11:34 PM: Found Spy Cookie: banner cookie
11:34 PM: liz@banner[2].txt (ID = 2276)
11:34 PM: liz@belnk[2].txt (ID = 2292)
11:34 PM: liz@belointeractive[1].txt (ID = 2294)
11:34 PM: Found Spy Cookie: bizrate cookie
11:34 PM: liz@bizrate[2].txt (ID = 2308)
11:34 PM: Found Spy Cookie: bluemountain cookie
11:34 PM: liz@bluemountain[2].txt (ID = 2312)
11:34 PM: liz@blues.about[1].txt (ID = 2038)
11:34 PM: liz@bluestreak[2].txt (ID = 2314)
11:34 PM: Found Spy Cookie: bravenet cookie
11:34 PM: liz@bravenet[2].txt (ID = 2322)
11:34 PM: liz@bs.serving-sys[2].txt (ID = 2330)
11:34 PM: liz@burstnet[2].txt (ID = 2336)
11:34 PM: liz@casalemedia[2].txt (ID = 2354)
11:34 PM: liz@cbs.112.2o7[1].txt (ID = 1958)
11:34 PM: liz@centrport[1].txt (ID = 2374)
11:34 PM: liz@cnn.122.2o7[1].txt (ID = 1958)
11:34 PM: liz@cornerstone.122.2o7[1].txt (ID = 1958)
11:34 PM: liz@ct.360i[2].txt (ID = 1962)
11:34 PM: liz@data.coremetrics[1].txt (ID = 2472)
11:34 PM: liz@data1.perf.overture[2].txt (ID = 3106)
11:34 PM: liz@data3.perf.overture[1].txt (ID = 3106)
11:34 PM: liz@dc.about[1].txt (ID = 2038)
11:34 PM: Found Spy Cookie: dealtime cookie
11:34 PM: liz@dealtime[1].txt (ID = 2505)
11:34 PM: liz@destinations.disney.go[1].txt (ID = 2729)
11:34 PM: liz@disneyworld.disney.go[1].txt (ID = 2729)
11:34 PM: liz@dist.belnk[1].txt (ID = 2293)
11:34 PM: liz@ecnext.122.2o7[1].txt (ID = 1958)
11:34 PM: liz@edge.ru4[2].txt (ID = 3269)
11:34 PM: liz@espn.go[1].txt (ID = 2729)
11:34 PM: liz@experts.about[2].txt (ID = 2038)
11:34 PM: liz@falkag[2].txt (ID = 2649)
11:34 PM: liz@fastclick[2].txt (ID = 2651)
11:34 PM: liz@gonyc.about[2].txt (ID = 2038)
11:34 PM: liz@go[1].txt (ID = 2728)
11:34 PM: liz@greatschools.122.2o7[1].txt (ID = 1958)
11:34 PM: liz@homepage.belointeractive[2].txt (ID = 2295)
11:34 PM: liz@homestore[1].txt (ID = 2793)
11:34 PM: Found Spy Cookie: screensavers.com cookie
11:34 PM: liz@i.screensavers[2].txt (ID = 3298)
11:34 PM: Found Spy Cookie: ic-live cookie
11:34 PM: liz@ic-live[1].txt (ID = 2821)
11:34 PM: liz@infertility.about[1].txt (ID = 2038)
11:34 PM: liz@insider.espn.go[1].txt (ID = 2729)
11:34 PM: Found Spy Cookie: kmpads cookie
11:34 PM: liz@kmpads[1].txt (ID = 2909)
11:34 PM: Found Spy Cookie: domainsponsor cookie
11:34 PM: liz@landing.domainsponsor[1].txt (ID = 2535)
11:34 PM: liz@mediaplex[2].txt (ID = 6442)
11:34 PM: liz@microsofteup.112.2o7[1].txt (ID = 1958)
11:34 PM: liz@msnportal.112.2o7[1].txt (ID = 1958)
11:34 PM: liz@nextag[1].txt (ID = 5014)
11:34 PM: liz@overture[2].txt (ID = 3105)
11:34 PM: liz@partygaming.122.2o7[1].txt (ID = 1958)
11:34 PM: Found Spy Cookie: partypoker cookie
11:34 PM: liz@partypoker[2].txt (ID = 3111)
11:34 PM: liz@perf.overture[1].txt (ID = 3106)
11:34 PM: Found Spy Cookie: pricegrabber cookie
11:34 PM: liz@pricegrabber[1].txt (ID = 3185)
11:34 PM: Found Spy Cookie: pro-market cookie
11:34 PM: liz@pro-market[1].txt (ID = 3197)
11:34 PM: Found Spy Cookie: pub cookie
11:34 PM: liz@pub[1].txt (ID = 3205)
11:34 PM: Found Spy Cookie: qksrv cookie
11:34 PM: liz@qksrv[2].txt (ID = 3213)
11:34 PM: liz@questionmarket[1].txt (ID = 3217)
11:34 PM: liz@realmedia[2].txt (ID = 3235)
11:34 PM: Found Spy Cookie: valuead cookie
11:34 PM: liz@reduxads.valuead[2].txt (ID = 3627)
11:34 PM: Found Spy Cookie: reunion cookie
11:34 PM: liz@reunion[2].txt (ID = 3255)
11:34 PM: Found Spy Cookie: revenue.net cookie
11:34 PM: liz@revenue[1].txt (ID = 3257)
11:34 PM: Found Spy Cookie: adjuggler cookie
11:34 PM: liz@rotator.adjuggler[1].txt (ID = 2071)
11:34 PM: liz@rsi.abcnews.go[1].txt (ID = 2729)
11:34 PM: liz@rsi.espn.go[1].txt (ID = 2729)
11:34 PM: liz@sel.as-us.falkag[1].txt (ID = 2650)
11:34 PM: liz@sento.122.2o7[1].txt (ID = 1958)
11:34 PM: liz@servedby.advertising[2].txt (ID = 3335)
11:34 PM: Found Spy Cookie: server.iad.liveperson cookie
11:34 PM: liz@server.iad.liveperson[1].txt (ID = 3341)
11:34 PM: liz@serving-sys[2].txt (ID = 3343)
11:34 PM: liz@sports-att.espn.go[1].txt (ID = 2729)
11:34 PM: liz@sports.espn.go[2].txt (ID = 2729)
11:34 PM: Found Spy Cookie: starware.com cookie
11:34 PM: liz@starware[2].txt (ID = 3441)
11:34 PM: liz@stat.dealtime[2].txt (ID = 2506)
11:34 PM: liz@statcounter[1].txt (ID = 3447)
11:34 PM: Found Spy Cookie: reliablestats cookie
11:34 PM: liz@stats1.reliablestats[1].txt (ID = 3254)
11:34 PM: liz@statse.webtrendslive[2].txt (ID = 3667)
11:34 PM: liz@stpetersburgtimes.122.2o7[1].txt (ID = 1958)
11:34 PM: liz@tacoda[1].txt (ID = 6444)
11:34 PM: liz@test.coremetrics[1].txt (ID = 2472)
11:34 PM: Found Spy Cookie: tracking cookie
11:34 PM: liz@tracking[2].txt (ID = 3571)
11:34 PM: Found Spy Cookie: tradedoubler cookie
11:34 PM: liz@tradedoubler[1].txt (ID = 3575)
11:34 PM: liz@trafficmp[1].txt (ID = 3581)
11:34 PM: liz@trb[2].txt (ID = 3587)
11:34 PM: liz@tribalfusion[1].txt (ID = 3589)
11:34 PM: liz@tribuneinteractive.122.2o7[1].txt (ID = 1958)
11:34 PM: liz@tripod[1].txt (ID = 3591)
11:34 PM: liz@twci.coremetrics[1].txt (ID = 2472)
11:34 PM: liz@usgovinfo.about[1].txt (ID = 2038)
11:34 PM: liz@valuead[2].txt (ID = 3626)
11:34 PM: Found Spy Cookie: realtracker cookie
11:34 PM: liz@web4.realtracker[2].txt (ID = 3242)
11:34 PM: liz@www.burstbeacon[1].txt (ID = 2335)
11:34 PM: liz@www.screensavers[1].txt (ID = 3298)
11:34 PM: Found Spy Cookie: winantiviruspro cookie
11:34 PM: liz@www.winantiviruspro[2].txt (ID = 3690)
11:34 PM: liz@z1.adserver[1].txt (ID = 2142)
11:34 PM: liz@zedo[1].txt (ID = 3762)
11:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:10
11:34 PM: Starting File Sweep
12:14 AM: File Sweep Complete, Elapsed Time: 00:39:58
12:14 AM: Full Sweep has completed. Elapsed time 00:44:17
12:14 AM: Traces Found: 177
12:15 AM: Removal process initiated
12:16 AM: Quarantining All Traces: 247realmedia cookie
12:16 AM: Quarantining All Traces: 2o7.net cookie
12:16 AM: Quarantining All Traces: 360i cookie
12:16 AM: Quarantining All Traces: about cookie
12:16 AM: Quarantining All Traces: addynamix cookie
12:16 AM: Quarantining All Traces: adecn cookie
12:16 AM: Quarantining All Traces: adjuggler cookie
12:16 AM: Quarantining All Traces: adknowledge cookie
12:16 AM: Quarantining All Traces: adrevolver cookie
12:16 AM: Quarantining All Traces: ads.adsag cookie
12:16 AM: Quarantining All Traces: adserver cookie
12:16 AM: Quarantining All Traces: advertising cookie
12:16 AM: Quarantining All Traces: adviva cookie
12:16 AM: Quarantining All Traces: apmebf cookie
12:16 AM: Quarantining All Traces: ask cookie
12:16 AM: Quarantining All Traces: atlas dmt cookie
12:16 AM: Quarantining All Traces: atwola cookie
12:16 AM: Quarantining All Traces: azjmp cookie
12:16 AM: Quarantining All Traces: banner cookie
12:16 AM: Quarantining All Traces: bannerspace cookie
12:16 AM: Quarantining All Traces: belnk cookie
12:16 AM: Quarantining All Traces: belointeractive cookie
12:16 AM: Quarantining All Traces: bizrate cookie
12:16 AM: Quarantining All Traces: bluemountain cookie
12:16 AM: Quarantining All Traces: bluestreak cookie
12:16 AM: Quarantining All Traces: bravenet cookie
12:16 AM: Quarantining All Traces: bs.serving-sys cookie
12:16 AM: Quarantining All Traces: burstbeacon cookie
12:16 AM: Quarantining All Traces: burstnet cookie
12:16 AM: Quarantining All Traces: casalemedia cookie
12:16 AM: Quarantining All Traces: centrport net cookie
12:16 AM: Quarantining All Traces: coremetrics cookie
12:16 AM: Quarantining All Traces: dealtime cookie
12:16 AM: Quarantining All Traces: domainsponsor cookie
12:16 AM: Quarantining All Traces: falkag cookie
12:16 AM: Quarantining All Traces: fastclick cookie
12:16 AM: Quarantining All Traces: go.com cookie
12:16 AM: Quarantining All Traces: hitslink cookie
12:16 AM: Quarantining All Traces: homestore cookie
12:16 AM: Quarantining All Traces: ic-live cookie
12:16 AM: Quarantining All Traces: kmpads cookie
12:16 AM: Quarantining All Traces: maxserving cookie
12:16 AM: Quarantining All Traces: mediaplex cookie
12:16 AM: Quarantining All Traces: nextag cookie
12:16 AM: Quarantining All Traces: overture cookie
12:16 AM: Quarantining All Traces: partypoker cookie
12:16 AM: Quarantining All Traces: pointroll cookie
12:16 AM: Quarantining All Traces: pricegrabber cookie
12:16 AM: Quarantining All Traces: pro-market cookie
12:16 AM: Quarantining All Traces: pub cookie
12:16 AM: Quarantining All Traces: qksrv cookie
12:16 AM: Quarantining All Traces: questionmarket cookie
12:16 AM: Quarantining All Traces: realmedia cookie
12:16 AM: Quarantining All Traces: realtracker cookie
12:16 AM: Quarantining All Traces: reliablestats cookie
12:16 AM: Quarantining All Traces: reunion cookie
12:16 AM: Quarantining All Traces: revenue.net cookie
12:16 AM: Quarantining All Traces: rightmedia cookie
12:16 AM: Quarantining All Traces: ru4 cookie
12:16 AM: Quarantining All Traces: screensavers.com cookie
12:16 AM: Quarantining All Traces: servedby advertising cookie
12:16 AM: Quarantining All Traces: server.iad.liveperson cookie
12:16 AM: Quarantining All Traces: serving-sys cookie
12:16 AM: Quarantining All Traces: specificclick.com cookie
12:16 AM: Quarantining All Traces: starware.com cookie
12:16 AM: Quarantining All Traces: statcounter cookie
12:16 AM: Quarantining All Traces: tacoda cookie
12:16 AM: Quarantining All Traces: tracking cookie
12:16 AM: Quarantining All Traces: tradedoubler cookie
12:16 AM: Quarantining All Traces: trafficmp cookie
12:16 AM: Quarantining All Traces: trb.com cookie
12:16 AM: Quarantining All Traces: tribalfusion cookie
12:16 AM: Quarantining All Traces: tripod cookie
12:16 AM: Quarantining All Traces: valuead cookie
12:16 AM: Quarantining All Traces: webtrendslive cookie
12:16 AM: Quarantining All Traces: winantiviruspro cookie
12:16 AM: Quarantining All Traces: yieldmanager cookie
12:16 AM: Quarantining All Traces: zedo cookie
12:16 AM: Removal process completed. Elapsed time 00:00:29
********
11:27 PM: | Start of Session, Friday, March 10, 2006 |
11:27 PM: Spy Sweeper started
11:28 PM: Your spyware definitions have been updated.
11:30 PM: | End of Session, Friday, March 10, 2006 |

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:02 PM

Posted 11 March 2006 - 07:18 AM

Hi Liz P,

The vundo infection is gone. :thumbsup: How is the computer running now? We need to check a few more things. You can delete all those fixes you say you downloaded earlier, e.g. VirtumundoBeGone and WinFixerFix, as well as the vundofix I asked you to use. Spysweeper is a trial version. You can keep it for two weeks and do a couple more scans with it. However, you'll have to pay for it if you want to keep it any longer. Otherwise, remove it from the Add/Remove Programs.

Please download Ccleaner

Click on Options, Select Advanced Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
Make sure the Cleaner block on the left is selected. (Do not use the "Issues" block) Choose the Windows tab.
Check everything EXCEPT Advanced part of the Menu. If you don't want to loose your login passwords to certain sites, click on Options, select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
Choose Run Cleaner. This process could take a while.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.

If you have more than one users, run Ccleaner for every user.

====================================

Scan with HijackThis and put a checkmark against the following entries:

R3 - Default URLSearchHook is missing

O20 - Winlogon Notify: khhfd - khhfd.dll (file missing)


The following is not malware but can come bundled with it. If you didn't install it yourself, please include them in the fix:

O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

Close all other browsers/windows, except HijackThis and click on "fix checked".

=====================================

Using Windows Explorer, navigate and delete the following folder, if you fixed it with HijackThis:

C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker

======================================

Let's check that there isn't anything else lurking in there.

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- Post Panda scan results and a fresh HijackThis log in your next reply

#9 Liz P.

Liz P.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 12 March 2006 - 06:07 PM

Computer is MUCH better. The Winfixer pop-ups are gone and speed is back to normal.

Panda did find 2 spyware files, though . . .

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Liz\Cookies\liz@atdmt[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Liz\Cookies\liz@mediaplex[1].txt


Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:03:32 PM, on 3/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8A2-850A-101B-AFC0-4210102A8DA7} (Microsoft TreeView Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/shared/C...22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124281343434
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:02 PM

Posted 12 March 2006 - 06:39 PM

Hi LizP,

Well done. Your log is clean. :thumbsup: What Panda is flagging are some cookies which you would get when you visit a website. Nothing to worry. You can use Ccleaner on a regular basis to keep them under control.

You have an old and vulnerable version of the Java Runtime Environment (JRE) installed. Please go to this link and it will describe how you can remove your old version and update to a new JRE:
http://wiki.castlecops.com/Windows_Update_Fix

Please delete the Vundofix from your desktop and empty your Recycle bin.

Spysweeper is a trial version. Please uninstall it unless you want to pay for it and keep it.

Now that you are clean, or seem to be, please follow these simple steps to stay that way:

Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.

This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot normally.

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

And that's all. But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got a antivirus, you can download and install one of the following free ones: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AVG Free here
AntiVir here
Avast here

It is essential to keep the anti-virus program fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet. The first time you use it, please set it to perform a full system scan.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them allready):
AdAware here
Spybot here Remember to "immunize" after each update
Microsoft Antispyware here

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Sygate here
Kerio Personal Firewall here
Outpost here
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, f.e. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing.

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
Fraudulent claims or scams
Offensive material
Security vulnerabilities
Spyware or Adware
Spam related material
or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

o Adult o Spyware o Spam Advertising o Phishing o Possible scam or fraud o Misleading or False Advertising
o Pharming o Rogue or Suspect Product o Adware o Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, e.g. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

Also, I would recommend reading the excellent advice by Tony Klein: So how did I get infected in the first place

Happy and safe surfing. :flowers:

#11 Liz P.

Liz P.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 12 March 2006 - 06:42 PM

Thanks SO much for all your help! I'll be sure to follow the prevention instructions.

L.

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:02 PM

Posted 12 March 2006 - 06:43 PM

You're welcome. Glad we could help. Stay safe!. :thumbsup:

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:02 PM

Posted 14 March 2006 - 03:58 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread, and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users