Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware


  • This topic is locked This topic is locked
5 replies to this topic

#1 Jmarten

Jmarten

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 27 March 2006 - 10:35 AM

Here is my hijack this log. I got some kind of spyware/malware on my computer. It has changed my homepage and I got this little icon by my clock in my taskbar that says virus alert. Not to mention all the popups. Help please.

Logfile of HijackThis v1.99.1
Scan saved at 9:28:17 AM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\HijackThis.exe

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpB9F.tmp
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122474718796
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab40641.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 28 March 2006 - 06:41 PM

I keep getting this thing called spyware quake. and weboffer. Even though I delete them but they some how keep getting back on here. Please Help ME

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:26 AM

Posted 30 March 2006 - 11:53 AM

Hello Jmarten!

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

IstSvc

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please download ewido security suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Please download ATF Cleaner by Atribune.
Do not run it yet.

* Download Roguescanfix from here:Download it to your desktop.
Doubleclick roguescanfix.exe
Click the 'install' button.
This will create a new folder on your desktop called Roguescanfix.
Open that folder and doubleclick: Run.bat

Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here.
Unzip it and place BFU.exe in the Roguescanfix-folder. Then doubleclick Run.bat again.


The tool will uninstall some programs and delete related files and registrykeys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.

*When you reboot, please reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpB9F.tmp
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\ISTsvc <--folder

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases)
and the Ewido Log by using Add Reply.

David

Edited by D-Trojanator, 30 March 2006 - 11:53 AM.


#4 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 30 March 2006 - 04:09 PM

Here are the reports. The ISTsvc things were not on my computer or I couldn't find them.

PANDA SCAN
Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\smitRem\Process.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\gimmygames.dat
Adware:Adware/SurfAccuracy Not disinfected C:\WINDOWS\kpmtbm.exe
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:adware/wupd Not disinfected C:\WINDOWS\system32\ide21201.vxd
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\smmss.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\wudupdate.exe

SMITFILES

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 03/30/2006
The current time is: 14:08:05.06

Running from
C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 732 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


EWIDO

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:37:22 PM, 3/30/2006
+ Report-Checksum: E73BDB5A

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\eZulaBootExe.EXE -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CLSID -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CurVer -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl.1 -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1960408961-1935655697-725345543-1007\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1960408961-1935655697-725345543-1007\Software\eZula -> Adware.Ezula : Cleaned with backup
HKU\S-1-5-21-1960408961-1935655697-725345543-1007\Software\eZula\Setup -> Adware.Ezula : Cleaned with backup
HKU\S-1-5-21-1960408961-1935655697-725345543-1007\Software\eZula\Setup\ID -> Adware.Ezula : Cleaned with backup
HKU\S-1-5-21-1960408961-1935655697-725345543-1007\Software\IST -> Adware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1960408961-1935655697-725345543-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1960408961-1935655697-725345543-1007\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1960408961-1935655697-725345543-1007\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\backups\backup-20060330-140514-573.dll -> Downloader.Zlob.jp : Cleaned with backup
C:\RECYCLER\NPROTECT\00002790.dll -> Downloader.Dyfuca : Cleaned with backup
C:\RECYCLER\NPROTECT\00002959.exe -> Adware.EZula : Cleaned with backup
C:\RECYCLER\NPROTECT\00002961.exe -> Adware.EZula : Cleaned with backup
C:\RECYCLER\NPROTECT\00002967.dll -> Adware.EZula : Cleaned with backup
C:\RECYCLER\NPROTECT\00002971.dll -> Not-A-Virus.PSWTool.Win32.EZula.bf : Cleaned with backup
C:\RECYCLER\NPROTECT\00003010.TXT -> TrackingCookie.Paycounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00003017.TXT -> TrackingCookie.Hotlog : Cleaned with backup
C:\RECYCLER\NPROTECT\00003046.TXT -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00003122.TXT -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00003131.TXT -> TrackingCookie.Sexcounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00003133.TXT -> TrackingCookie.Statcounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00003160.TXT -> TrackingCookie.Clickzs : Cleaned with backup
C:\RECYCLER\NPROTECT\00003161.TXT -> TrackingCookie.Liveperson : Cleaned with backup
C:\RECYCLER\NPROTECT\00004187.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004188.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004189.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004190.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004191.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004309.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004310.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004311.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004312.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004313.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004314.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004315.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004317.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004318.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004319.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004329.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004330.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004340.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00004341.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00004371.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00004376.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00004392.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00004393.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00004531.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004532.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004537.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004538.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004552.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004553.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004560.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00004561.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00004562.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00004563.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00004564.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004565.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004566.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004567.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004667.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004668.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004669.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00004670.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00004671.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00004672.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00004673.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004674.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00004686.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00004718.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00004719.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00004721.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004722.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004724.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00004744.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004745.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00004746.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00004747.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005037.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005038.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005039.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005040.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005041.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005043.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005044.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005045.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005046.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005047.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005048.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005049.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005120.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005121.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005122.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005123.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005124.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005125.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005126.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005127.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005128.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005131.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005132.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005133.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005134.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005135.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005136.TXT -> TrackingCookie.Ru4 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005137.TXT -> TrackingCookie.Ru4 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005138.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005139.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005143.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005144.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005145.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005146.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005147.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005148.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005149.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005150.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005151.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00005309.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00005310.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00005311.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00005315.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00005743.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00005744.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00005745.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005746.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005752.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005753.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005754.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005755.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005756.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005759.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005760.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005761.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005762.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005763.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005768.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00005769.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00005770.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005771.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005773.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005774.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005775.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005776.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005777.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005778.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005779.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005780.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005781.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005782.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005783.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005784.TXT -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00005786.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005787.TXT -> TrackingCookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00005817.TXT -> TrackingCookie.Burstnet : Cleaned with backup
C:\RECYCLER\NPROTECT\00005818.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005819.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005820.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005821.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005824.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005825.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005826.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005827.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005831.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005832.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005833.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005834.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005841.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005842.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005843.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005844.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005847.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005848.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005849.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005850.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00005870.TXT -> TrackingCookie.Tracking101 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005941.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005942.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005968.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00005969.TXT -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\NPROTECT\00005970.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005971.TXT -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00005974.TXT -> TrackingCookie.Clickzs : Cleaned with backup
C:\RECYCLER\NPROTECT\00005975.TXT -> TrackingCookie.Clickzs : Cleaned with backup
C:\RECYCLER\NPROTECT\00005976.TXT -> TrackingCookie.Clickzs : Cleaned with backup
C:\RECYCLER\NPROTECT\00005977.TXT -> TrackingCookie.Clickzs : Cleaned with backup
C:\RECYCLER\NPROTECT\00006016.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00006147.DLL -> Adware.WinAD : Cleaned with backup
C:\RECYCLER\NPROTECT\00006148.EXE -> Adware.WinAD : Cleaned with backup
C:\RECYCLER\NPROTECT\00006149.EXE -> Adware.WinAD : Cleaned with backup
C:\RECYCLER\NPROTECT\00006182.exe -> Adware.EZula : Cleaned with backup
C:\RECYCLER\NPROTECT\00006217.exe -> Adware.EZula : Cleaned with backup
C:\RECYCLER\NPROTECT\00006218.exe -> Adware.EZula : Cleaned with backup
C:\RECYCLER\NPROTECT\00006224.dll -> Adware.EZula : Cleaned with backup
C:\RECYCLER\NPROTECT\00006228.dll -> Not-A-Virus.PSWTool.Win32.EZula.bf : Cleaned with backup
C:\RECYCLER\NPROTECT\00006353.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\WINDOWS\inst_adperform.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\ezstub.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\lrsahaia.esv -> Hijacker.Small.js : Cleaned with backup
C:\WINDOWS\system32\mwinorag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\urbqrqmn.toz -> Hijacker.Small.js : Cleaned with backup
C:\WINDOWS\system32\wuauclt10.exe -> Dropper.Pakes : Cleaned with backup


::Report End


HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 3:05:16 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122474718796
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab40641.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:26 AM

Posted 31 March 2006 - 11:36 AM

Hi there Jmarten.

The Hijackthis log is looking much better now. It is hard for me to tell you if you are clean unless you communicate with me. Is your computer running better now? Do you still have the icon in your taskbar?
We've got a few more things to do now, a bit of clearing up:

Make sure that you can see hidden files
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\Common Files\WinAntiVirus Pro 2006 <--folder
C:\WINDOWS\gimmygames.dat <--file
C:\WINDOWS\kpmtbm.exe <--file
C:\WINDOWS\system32\ezPopStub.exe <--file
C:\WINDOWS\system32\ide21201.vxd <--file
C:\WINDOWS\system32\smmss.exe <--file
C:\WINDOWS\system32\wudupdate.exe <--file

Please reboot, and let me know how the system feels to you.

David

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:26 AM

Posted 12 April 2006 - 09:34 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users