Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/rbot-ank Email-flooder, Sahagent Spyware/adware & More


  • This topic is locked This topic is locked
19 replies to this topic

#1 djb

djb

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 22 March 2006 - 09:38 AM

My system has the spyware mentioned in the topic title plus others like my way speedbar Spyware/Adware and smitfraud variant Browser Hijacker. I found the specific names through running the MWAV.exe program by Kaspersky.

I followed all the steps outlined in here and then ran Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 7:14:33 AM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/qry/myhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.freewebs.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...p?sku_num=29_18
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/045f81910f009fa40021/...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43B4E641-1369-4350-9308-61AF83541CAC}: NameServer = 85.255.113.147,85.255.112.90
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:56 PM

Posted 22 March 2006 - 03:39 PM

Hi djb, :thumbsup:

Welcome to BC. :flowers: I cannot see any evidence of Rbot in your log. Can you give me the filepath where Kaspersky says it finds it? However, I see that you have a DNS changing trojan. I also see an entry in your trusted zone. It's best not to have anything in the trusted zone. Let's do the following:

===================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK

===================
  • Close all open Explorer windows and browsers
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button
  • When complete and all files removed, close the application.
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe

O15 - Trusted Zone: http://www.freewebs.com

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...p?sku_num=29_18

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/045f81910f009fa40021/...ip/RdxIE601.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{43B4E641-1369-4350-9308-61AF83541CAC}: NameServer = 85.255.113.147,85.255.112.90


===================

Download ATF Cleaner by Atribune and save it to your Desktop. do not run it yet.

===================

Download and install Ewido Anti-Malware

During the installation, uncheck the following under Additional Options:
Install background guard
Install scan via context menu


Check for updates but do not run it yet.

===================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.

===================

In Safe Mode, using Windows Explorer(right click on start, click on Explore) , navigate to and delete the following file:

C:\WINDOWS\system32\yaemu.exe

===================

From Safe Mode double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

===================

From Safe Mode run Ewido.
Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido-Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

===================

Restart your computer in Normal Mode and

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
===================

Reboot and scan with HijackThis again and please post back:

Ewido Scan results
Kaspersky Scan results
The fresh HijackThis log


#3 djb

djb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 22 March 2006 - 08:12 PM

Hi djb, :thumbsup:

Welcome to BC. :flowers: I cannot see any evidence of Rbot in your log. Can you give me the filepath where Kaspersky says it finds it?


Hi amateur, thanks for taking the time to help me with this. I appreciate it!

I was not able to find C:\WINDOWS\system32\yaemu.exe. Maybe a scan I did after I posted my original message deleted it?

I made the file from the MicroWorld AntiVirus (Powered by Kaspersky) into a .doc so I could search for the Rbot entry, and I copied a secion of the report I thought might be useful to you:

Mon Mar 20 00:42:01 2006 => ***** Scanning Registry and File system for Adware/Spyware *****
Mon Mar 20 00:42:02 2006 => Loading Spyware Signatures from new External Database (Size: 153719).
Mon Mar 20 00:42:04 2006 => Indexed Spyware Databases Successfully Created...

Mon Mar 20 00:42:43 2006 => System found infected with w32/rbot-ank Email-Flooder ({19e28afc-eae3-4ce5-ac83-2407b42f57c9})! Action taken: No Action Taken.
Mon Mar 20 00:42:43 2006 => System found infected with w32/rbot-ank Email-Flooder ({19e28afc-eae3-4ce5-ac83-2407b42f57c9})! Action taken: No Action Taken.
Mon Mar 20 00:42:43 2006 => System found infected with netster Spyware/Adware ({56336bcb-3d8a-11d6-a00b-0050da18de71})! Action taken: No Action Taken.
Mon Mar 20 00:42:46 2006 => Offending Folder found: C:\WINDOWS\DOWNLO~1\conflict.1
Mon Mar 20 00:42:46 2006 => Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.

Mon Mar 20 00:42:46 2006 => Offending file found: C:\WINDOWS\system32\tmpmpt1.tmp
Mon Mar 20 00:42:46 2006 => System found infected with sahagent Spyware/Adware (tmpmpt1.tmp)! Action taken: No Action Taken.

Mon Mar 20 00:42:46 2006 => Offending Folder found: C:\Program Files\myway
Mon Mar 20 00:42:46 2006 => Object "my way speedbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Mon Mar 20 00:42:46 2006 => Offending Folder found: C:\Documents and Settings\David Blazina\Application Data\acccore\caches\bart\1024
Mon Mar 20 00:42:46 2006 => Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.

Mon Mar 20 00:42:53 2006 => Offending file found: C:\Documents and Settings\David Blazina\Application Data\tenebril\uninstaller\1.2\settings.dat
Mon Mar 20 00:42:53 2006 => System found infected with cydoor.topicks.a Spyware/Adware (settings.dat)! Action taken: No Action Taken.

Mon Mar 20 00:43:05 2006 => Offending file found: C:\Documents and Settings\David Blazina\Desktop\internet.lnk
Mon Mar 20 00:43:05 2006 => System found infected with ezula Spyware/Adware (internet.lnk)! Action taken: No Action Taken.

Mon Mar 20 00:43:57 2006 => Offending file found: C:\Documents and Settings\All Users\Application Data\aol downloads\triton_suite_install_2.0.6.1\toolbar.exe
Mon Mar 20 00:43:57 2006 => System found infected with elite toolbar Spyware/Adware (toolbar.exe)! Action taken: No Action Taken.

Mon Mar 20 00:43:59 2006 => Offending file found: C:\Documents and Settings\All Users\Application Data\gtek\gtupdate\aupdate\channels\channels.ini
Mon Mar 20 00:43:59 2006 => System found infected with clipgenie Spyware/Adware (channels.ini)! Action taken: No Action Taken.


Ewido Scan Results:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:52:28 PM, 3/22/2006
+ Report-Checksum: 916415E7

+ Scan result:

:mozilla.22:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.23:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.24:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.25:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.26:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.27:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.28:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.30:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.31:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.32:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.33:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.35:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.36:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.39:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.72:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.73:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.74:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.118:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.133:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.134:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.135:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.136:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.139:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.140:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.141:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.142:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.143:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.144:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.145:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.148:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.149:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.150:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.151:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.156:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.203:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.205:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.206:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.207:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.208:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.209:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.210:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.211:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.232:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.233:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.252:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.253:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.254:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.255:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.256:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.257:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.258:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.259:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.260:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.297:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.519:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.520:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.521:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.603:C:\Documents and Settings\David Blazina\Application Data\Mozilla\Firefox\Profiles\default.fi2\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\David Blazina\Cookies\david blazina@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David Blazina\Cookies\david blazina@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.11:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.12:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.13:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.14:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.15:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.23:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Doubleclick : Error during cleaning
:mozilla.24:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Atdmt : Error during cleaning
:mozilla.25:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.26:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.27:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.28:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.29:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.30:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.31:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.32:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.33:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.34:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.35:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.36:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.37:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.38:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.39:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.40:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.41:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.42:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.43:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.44:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.45:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Mediaplex : Error during cleaning
:mozilla.52:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.53:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.54:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.55:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.89:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Overture : Error during cleaning
:mozilla.90:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Overture : Error during cleaning
:mozilla.91:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.92:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.93:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Centrport : Error during cleaning
:mozilla.94:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Centrport : Error during cleaning
:mozilla.95:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.96:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.97:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.98:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.104:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.105:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.107:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.108:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.109:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.110:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.111:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.112:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.113:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.114:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.116:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.117:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.118:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.119:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.120:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.121:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning
:mozilla.122:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning
:mozilla.125:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning
:mozilla.128:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.129:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.130:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.131:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.132:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.133:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.137:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Burstbeacon : Error during cleaning
:mozilla.138:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Burstbeacon : Error during cleaning
:mozilla.139:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.140:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.141:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.142:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.143:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.154:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Liveperson : Error during cleaning
:mozilla.155:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Liveperson : Error during cleaning
:mozilla.156:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Liveperson : Error during cleaning
:mozilla.158:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Ru4 : Error during cleaning
:mozilla.159:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Ru4 : Error during cleaning
:mozilla.171:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Googleadservices : Error during cleaning
:mozilla.172:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Gator : Error during cleaning
:mozilla.174:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Questionmarket : Error during cleaning
:mozilla.195:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Coremetrics : Error during cleaning


::Report End

Kaspersky Scan Results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, March 22, 2006 6:36:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 23/03/2006
Kaspersky Anti-Virus database records: 183507
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 68641
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:59:36

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\9dpv0hme.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped

Scan process completed.


HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:37:56 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.net/qry/myhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.r5.attbi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe"

/autostart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation

Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -

http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1408.g.akamai.net/7/1408/9955/2003...WW/win/061-0848

.20031022.TtzS4/iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) -

http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) -

http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -

http://eu-housecall.trendmicro-europe.com/...n32/activex/hcI

mpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) -

http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:56 PM

Posted 22 March 2006 - 09:11 PM

Thanks for the logs and the eScan report. Since eScan report doesn't seem to be complete, I cannot make any assessments. Looks like it has done a good job of cleaning though. There are some error reports in Ewido. Did you run the ATF cleaner before you ran Ewido? I would like you to clean your cookies and then rescan.

Please clear the cookies in Firefox:

1. In any Firefox window, Click Tools=>Options=>Privacy Icon.
2. Under the Cookies tab, Click Clear Cookies Now button.
3. Click OK to exit Options window.

NOTE: you can set up Firefox to automatically clear cookies and other private data upon exit by clicking Settings button in the Clear Private Data tools section In the Options window:

1. Click Settings button
2. Select the data you would like to clear automatically
3. Place a check mark next to Clear Private Data When Closing Firefox
4. Click OK=>OK to exit the options window

======================

Also, please clear your Internet Explorer cookies:

1. Click Start=>Control Panel=>Internet Options
2. In the General tab under the Temporary Internet Files header, Click Delete Cookies=>OK
3. Click OK to exit Internet Options window.

====================
Using Windows Explorer (right click on start, click on explore) naviage to and delete the following file:

C:\WINDOWS\system32\9dpv0hme.ini . Try deleting it in Safe Mode if you cannot.

======================

Scan with Ewido again.

======================

Please post the Ewido report and a new HijackThis log, but please make sure the wordwrap is turned off, as it's difficult to read it like this.

#5 djb

djb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 23 March 2006 - 12:24 AM

Sorry about the wordwrap :thumbsup:

*edit* I took off the wordwrap and it's still putting in a break at the end of some of the lines.

Ewido Scan Log

There's a lot of "Error during cleaning", is that normal?

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:20:32 PM, 3/22/2006
+ Report-Checksum: C545B952

+ Scan result:

:mozilla.11:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.12:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.13:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.14:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.15:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.23:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Doubleclick : Error during cleaning
:mozilla.24:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Atdmt : Error during cleaning
:mozilla.25:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.26:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.27:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.28:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.29:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.30:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.31:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.32:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.33:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.34:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.35:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.36:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.37:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.38:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.39:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.40:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.41:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.42:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.43:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.44:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.45:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Mediaplex : Error during cleaning
:mozilla.52:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.53:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.54:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.55:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.89:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Overture : Error during cleaning
:mozilla.90:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Overture : Error during cleaning
:mozilla.91:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.92:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.93:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Centrport : Error during cleaning
:mozilla.94:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Centrport : Error during cleaning
:mozilla.95:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.96:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.97:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.98:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Hitbox : Error during cleaning
:mozilla.104:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.105:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.107:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.108:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.109:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.110:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.111:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.112:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.113:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.114:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.116:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.117:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.118:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.119:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.120:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.121:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning
:mozilla.122:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning
:mozilla.125:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning
:mozilla.128:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.129:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.130:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.131:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.132:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.133:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning
:mozilla.137:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Burstbeacon : Error during cleaning
:mozilla.138:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Burstbeacon : Error during cleaning
:mozilla.139:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.140:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.141:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.142:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.143:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Adserver : Error during cleaning
:mozilla.154:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Liveperson : Error during cleaning
:mozilla.155:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Liveperson : Error during cleaning
:mozilla.156:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Liveperson : Error during cleaning
:mozilla.158:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Ru4 : Error during cleaning
:mozilla.159:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Ru4 : Error during cleaning
:mozilla.171:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Googleadservices : Error during cleaning
:mozilla.172:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Gator : Error during cleaning
:mozilla.174:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Questionmarket : Error during cleaning
:mozilla.195:C:\Program Files\Support.com\backup\Co\cookies.txt\18496_58d4f318a_/cookies.txt -> TrackingCookie.Coremetrics : Error during cleaning


::Report End

Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:04 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/qry/myhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by djb, 23 March 2006 - 12:27 AM.


#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:56 PM

Posted 23 March 2006 - 07:49 AM

Hi djb,

The HijackThis log looks good now, both in form and content. :thumbsup:

In your Program Files, there is a folder called "support.com ". Did you install that program yourself? If you didn't install it yourself, please remove it from Add/Remove Programs and delete the associated folder. If you did install it yourself, then delete the backup folder in it. Empty the Recycle Bin.

C:\Program Files\Support.com\backup

Run ATF. Restart and run Ewido and Kaspersky again and post their logs please.

#7 djb

djb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 23 March 2006 - 03:04 PM

Here are the new Ewido and Kaspersky logs:

Ewido

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:37:40 PM, 3/23/2006
+ Report-Checksum: B4E127C1

+ Scan result:

No infected objects found.


::Report End

Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, March 23, 2006 2:01:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 23/03/2006
Kaspersky Anti-Virus database records: 183608
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 65056
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:55:40

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{4CBE5788-FDC1-4707-85A3-F944AA857C93}\RP474\A0018126.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped

Scan process completed.

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:56 PM

Posted 24 March 2006 - 02:58 PM

Hi djb,

Sorry for the delay. For some reason, I didn't get the notification for your reply. Anyway, good news: Logs are clean. The only infected object found by Kaspersky is in the System Restore. They won't harm you and we'll clean them later as well. Since you seem to have had W32/Rbot-ANK, at some point in the past (which is a worm with backdoor functionality and allows others to access the computer), let's do one more scan. Make sure that you are logged in as an Administrator to the computer for this scan.

Download Rootkit Revealer.
  • Create a folder Rootkit Revealer in the following location C:\
  • Unzip to this folder.
  • Close ALL other open programmes, files and folders and disconnect from the internet. Close down all scheduling/updating + running background tasks, etc. Physically unplug the cable from PC to the internet connection..
  • Click on RootkitRevealer.exe to launch the programme.
  • Click Scan, and allow it to scan your computer.

You may get a warning from your protection systems that a new service is being installed, this will have a random name, and is generated by Rootkit revealer, allow it please.

IMPORTANT: other than to allow the above event, do not touch your computer while the scan is running, as this will generate false reports.

When the scan is finished, click File > Save, and save RootkitRevealer.txt to your C:\Rootkit Revealer folder.

Copy the log to your next post please.

Edited by amateur, 24 March 2006 - 04:14 PM.


#9 djb

djb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 24 March 2006 - 08:42 PM

Close down all scheduling/updating + running background tasks, etc.


Can you please tell me how to do that? I'm not entirely sure.

Thanks!

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:56 PM

Posted 24 March 2006 - 08:58 PM

Hi djb,

Sorry, I have to go out now. I'll be back within a couple of hours and will explain it to you.

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:56 PM

Posted 24 March 2006 - 11:15 PM

scheduling/updating + running background tasks : programs that you want windows to run at a specified time and scheduled it that way. For example, you can schedule your antivirus software to perform scanning on a daily, weekly or monthly basis at a certain time; or your screensaver to kick in after a certain period of inactivity, or your email browser to check your email at a certain interval, etc. Make sure that nothing is scheduled at the time of the RootkitRevealer scanning and don't touch your computer while the scanning is in progress.

#12 djb

djb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 25 March 2006 - 11:33 AM

Thanks for the explanation, amateur.

Here is the log:

C:\WINDOWS\system32\spool\PRINTERS\FP00003.SHD 3/25/2006 9:21 AM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32\spool\PRINTERS\FP00003.SPL 3/25/2006 9:21 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:56 PM

Posted 25 March 2006 - 12:51 PM

Hi djb,

It's really looking good. All scans are clear.

Please delete RootKitRevealer folder from C:/, and Empty the Recycle Bin.

Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days that is why we are not installing the guard so it will not interfere with the cleanup or the malware removal process. You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan. If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

ATF is a useful program to keep cookies and temporary files under control.

Remember to hide your system files again.

Start>My Computer>Tools>Folder Options>View
Under the Hidden files and Folders heading uncheck Show hidden files and folders.
check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
check the Hide file extensions for known file types.
Click OK.

Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.

This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot normally.

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

And that's all. But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got a antivirus, you can download and install one of the following free ones: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AVG Free here
AntiVir here
Avast here

It is essential to keep the anti-virus program fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet. The first time you use it, please set it to perform a full system scan.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them already):
AdAware here
Spybot here Remember to "immunize" after each update
Microsoft Antispyware here

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Sygate here
Kerio Personal Firewall here
Outpost here
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

You can install these programs, to make surfing with Internet Explorer safer:

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
Fraudulent claims or scams
Offensive material
Security vulnerabilities
Spyware or Adware
Spam related material
or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

o Adult o Spyware o Spam Advertising o Phishing o Possible scam or fraud o Misleading or False Advertising
o Pharming o Rogue or Suspect Product o Adware o Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

But above all, keep all your software UP-TO-DATE at all time!!

Also, I would recommend reading the excellent advice by Tony Klein: So how did I get infected in the first place

Happy and safe surfing.

#14 djb

djb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 25 March 2006 - 02:11 PM

Amateur,

I just realized that when I ran the Rootkit scan I was logged in as myself and not as administrator. Should I log on as administrator and run it again, or is it ok since I am the only user on this computer?

Thanks

#15 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:56 PM

Posted 25 March 2006 - 02:27 PM

It's OK.

Stay Safe.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users