Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Is On My Computer?


  • This topic is locked This topic is locked
23 replies to this topic

#1 movado

movado

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 02 April 2006 - 10:07 AM

I had tried everything that was suggested and cannot get rid of what ever I have. There is in my tray a yellow triangle that keeps blinking with a little System alert box telling me my computer is infected (obvious ad) and a red "no smoking" symbol without the ciggarette that blinks to a green wheel chair. Other issues are Spyware quake keeps installing itsself. I cannot enter my computer from the icon it just closes up -have to use explore from the start menu, also porn and gambling ads pop up but they are the exact same ads everytime with the same images, My browser is stationed on a spyware ad page everytime I start it.

Here is the Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:42:08 AM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
I:\Power DVD\DVDLauncher.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
I:\Tivo\TiVoServer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Save\Save.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
I:\Adobe\Acrobat 7.0 Pro\Distillr\acrotray.exe
I:\Macromedia\Dreamweaver MX\Dreamweaver.exe
C:\Documents and Settings\Jeremy\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp7CC1.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "I:\Power DVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "I:\Adobe\Acrobat 7.0 Pro\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "I:\Tivo\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = I:\WINDOWS OFFICE XP\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\WINDOW~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139660240500
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EC5A61D-130B-499A-BDD8-9CEF58052874}: NameServer = 204.117.214.10,119.2.252.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - I:\Symantec\PC Anywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe



BC AdBot (Login to Remove)

 


m

#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 AM

Posted 02 April 2006 - 10:33 AM

Hello , welcome to the forum.

Looks like you've been infected with Spyware Quake

Please do not delete anything unless instructed to.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Posted Image

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Posted Image

Double-click on the smitRem.exe file to extract it to it's own folder on the desktop.

Posted Image

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download roguescanfix.exe, and save it to your desktop.

Next, boot into Safe Mode. To do this:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Open the smitRem folder on your desktop

Posted Image

Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Close ewido anti-malware.

Reboot in Normal Mode.

Double click roguescanfix.exe to install it.
Open the roguescanfix folder, and doubleclick run.bat.
Your desktop and icons will disappear and then reappear again, this is normal.
Wait till te message "Completed script execution" appear, then click OK.
Click "Exit" to close BFU.
Click "OK" to start the SpywareQuake/Spyfalcon uninstaller, after that click
"uninstall".

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

=======================

I cannot see any antivirus software on your computer. Please download and install ONE of the following good free antivirus, update and do a full system scan.

AVG Free here
AntiVir here
Avast here

=======================

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

#3 movado

movado
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 02 April 2006 - 02:33 PM

I went through everyything the only issue I had was the rogue scan fix after the Completed script execution dialog box and hitting ok then exiting BFU there was no such button to selek that said ok to start sywareQuake/Spyfalcon uninstaller. It just exited and that was it. Also I did not clean any files with panda since the directions did not say to do so.
I am now going to install zone alarm and an antivirus.

New Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:45:31 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
I:\Power DVD\DVDLauncher.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
I:\Adobe\Acrobat 7.0 Pro\Distillr\Acrotray.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
I:\Tivo\TiVoServer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeremy\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Adobe\Acrobat 7.0 Pro\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "I:\Power DVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "I:\Adobe\Acrobat 7.0 Pro\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "I:\Tivo\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = I:\WINDOWS OFFICE XP\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\WINDOW~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139660240500
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EC5A61D-130B-499A-BDD8-9CEF58052874}: NameServer = 204.117.214.10,119.2.252.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - I:\Symantec\PC Anywhere\awhost32.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe


SmitRem Log:

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 03/31/2006
The current time is: 8:09:41.20

Running from
C:\Documents and Settings\Jeremy\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\stickrep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 564 'explorer.exe'
Killing PID 564 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\stickrep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


Edwido Logs:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:34:09 PM, 4/2/2006
+ Report-Checksum: 67EC8F32

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{736b5468-bdad-41be-92d0-22ae2ddf7bcb} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpywareQuake -> Adware.SpywareQuake : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners\EDON -> Adware.SaveNow : Cleaned with backup
HKU\S-1-5-21-1960408961-706699826-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1960408961-706699826-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1960408961-706699826-1417001333-1004\Software\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Adware.SpywareQuake : Cleaned with backup
HKU\S-1-5-21-1960408961-706699826-1417001333-1004_Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Adware.SpywareQuake : Cleaned with backup
[768] C:\WINDOWS\system32\stickrep.dll -> Downloader.Zlob.jx : Cleaned with backup
:mozilla.11:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.13:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.29:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.44:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.45:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@imgserv.adbutler[2].txt -> TrackingCookie.Adbutler : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@news.com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\admin@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\admin@e-2dj6wjlieocjogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\admin@e-2dj6wjliwpdzabq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\admin@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Jeremy\Application Data\Mozilla\Profiles\default\j5hzk34w.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Jeremy\Application Data\Mozilla\Profiles\default\j5hzk34w.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@e-2dj6wfkycnd5sdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@e-2dj6wfliqld5egq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@e-2dj6wfmyokc5ibp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@e-2dj6wgkisjdzmep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@e-2dj6wglicgdzoho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@e-2dj6wgligid5clp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@e-2dj6wjkyenczalo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@ehg-futurepub.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@petsunitedllc.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@powellsbooks.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Jeremy\Cookies\jeremy@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jeremy\My Documents\eDonkey2000 Downloads\PC Anywhere 10.5 Small Business Crack.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Jeremy\Start Menu\Programs\WhenU -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Jeremy\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Jeremy\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Jeremy\Start Menu\Programs\WhenU\Uninstall.lnk -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Jeremy\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\ACM.dll -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\save.db -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\save.htm -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\SaveUninst.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\store.db -> Adware.SaveNow : Cleaned with backup
C:\Program Files\SpywareQuake -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\blacklist.txt -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\ignored.lst -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Lang -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Lang\English.ini -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Logs -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\msvcp71.dll -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\msvcr71.dll -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Quarantine -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\ref.dat -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\SpywareQuake.exe -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\SpywareQuake.url -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\sq.ini -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\uninst.exe -> Adware.SpywareQuake : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\ld7AEC.tmp -> Downloader.Zlob.jt : Cleaned with backup
C:\WINDOWS\system32\mssearchnet.exe -> Hijacker.SpyAxe : Cleaned with backup
C:\WINDOWS\system32\stickrep.dll -> Trojan.Small : Cleaned with backup
I:\SothinkSWFDecompiler\MySearch\MySetp.exe -> Adware.GoWebSite : Cleaned with backup


::Report End


Panda Log:

Incident Status Location

Potentially unwanted tool:application/spywarequake Not disinfected C:\Documents and Settings\Jeremy\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SpywareQuake 2.0.lnk
Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\ncompat.tlb
Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ot.ico
Adware:adware/securitytoolbar Not disinfected C:\PROGRAM FILES\Security Toolbar
Spyware:Cookie/Sandboxer Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@307[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@adultfriendfinder[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@belnk[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@c2.gostats[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@go[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@searchportal.information[2].txt
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@versiontracker[2].txt
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@www.spyfalcon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@xiti[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\admin\Cookies\admin@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\admin\Cookies\admin@apmebf[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\admin\Cookies\admin@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@belnk[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\admin\Cookies\admin@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\admin\Cookies\admin@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@dist.belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\admin\Cookies\admin@gostats[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\admin\Cookies\admin@go[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\admin\Local Settings\Temp\Cookies\admin@atwola[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\admin\Local Settings\Temp\Cookies\admin@go[1].txt
Spyware:Cookie/Sandboxer Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@307[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@adultfriendfinder[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@belnk[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@c2.gostats[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@go[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@searchportal.information[2].txt
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@versiontracker[2].txt
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@www.spyfalcon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\SmitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\SmitRem\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\Spy Falcon Removal\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\Jeremy\Local Settings\Temp\sa8.exe
Adware:Adware/SecurityToolbar Not disinfected C:\Program Files\Security Toolbar\Security Toolbar.dll



#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 AM

Posted 02 April 2006 - 06:29 PM

Movado

Let's do this one more time. You'll need to be connected to the internet for this fix to work.

* Double-click on the roguescanfix folder on your desktop and then double-click on Run.bat. Please note that when the Run.bat starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall or other security programs like Ewido guard and the antivirus program give an alert about this, please allow the download.exe or run.bat program to access the Internet.
* When you start the Run.bat program your desktop will disappear which is normal so you do not need to be concerned. It will then start the SpywareQuake uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpywareQuake.
* When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. You can simply press the Exit button.
* If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot.

=======================================================

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"


Close all browsers/windows except HijackThis and click on "fix checked".

=======================================================

Using Windows Explorer (right click on Start, click on Explore), navigate to and delete the following folders, if found:

C:\Program Files\Save
C:\PROGRAM FILES\Security Toolbar

C:\Documents and Settings\Jeremy\Cookies <=== empty the folder

=======================================================

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

=======================================================

Please download the free Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:
  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
Click Proceed.

3) To start the scan, Click > "Scan Now" at left
  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.
  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.
Here is a good link for Adaware tutorial. http://www.starpoint.net/help/Maintenance/adware.php

=======================================================

Then run
WhenU remover

=======================================================

Run Panda again and post back the results along with a new HijackThis log, please.

Edited by amateur, 02 April 2006 - 07:20 PM.


#5 movado

movado
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 April 2006 - 07:56 AM

I have tried this over and over and with the rogue scan, here is what happens I click the .bat and it it just opens the brute force installer. There is no SpywareQuake uninstallation program that opens where I can push an ok button all it does is pop a dialog box up that says Completed script execution then opens Brute Force where I have an option of choosing execute. Is it just automatically running the program? Because I am never given any options to remove SpywareQuake uninstallation program. It does connect and get something from the internet which I can see in the shell.

I will continue on with your other instructions. The annoying ad and pop ups have disapeared as of this time however. But I know from trying to remove this before they reappeared in like 24 hours so I want to be sure we kill this one all the way. I really appreciate the help! I will post the Logs when I finish.

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 AM

Posted 03 April 2006 - 08:10 AM

OK. Thanks for the feed back. Yes, please go ahead with the rest of the fix. In the meantime I'll try to find out more about the rogue scan.

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 AM

Posted 03 April 2006 - 10:34 AM

Leta's try this now:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with a fresh HijackThis log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Edited by amateur, 03 April 2006 - 10:35 AM.


#8 movado

movado
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 April 2006 - 12:23 PM

Ok here are the logs:


Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 1:12:34 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
I:\Power DVD\DVDLauncher.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
I:\Adobe\Acrobat 7.0 Pro\Distillr\Acrotray.exe
I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
I:\Tivo\TiVoServer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeremy\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.njtoys-n-things.com/phpmyvisites/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Adobe\Acrobat 7.0 Pro\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "I:\Power DVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "I:\Adobe\Acrobat 7.0 Pro\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "I:\Tivo\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = I:\WINDOWS OFFICE XP\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://I:\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\WINDOW~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139660240500
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EC5A61D-130B-499A-BDD8-9CEF58052874}: NameServer = 204.117.214.10,119.2.252.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - I:\Symantec\PC Anywhere\awhost32.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Panda:

Incident Status Location

Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\ncompat.tlb
Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ot.ico
Potentially unwanted tool:application/spywarequake Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SPYWAREQUAKE
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@www.myaffiliateprogram[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\admin\Cookies\admin@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\admin\Cookies\admin@apmebf[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\admin\Cookies\admin@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@belnk[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\admin\Cookies\admin@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\admin\Cookies\admin@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@dist.belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\admin\Cookies\admin@gostats[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\admin\Cookies\admin@go[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@www.myaffiliateprogram[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\SmitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\SmitRem\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\Spy Falcon Removal\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\smitRem\Process.exe
Spyware:Cookie/Apmebf Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc100.txt
Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc105.txt
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc106.txt
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc107.txt
Spyware:Cookie/Banner Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc112.txt
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc114.txt
Spyware:Cookie/GoStats Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc131.txt
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc198.txt
Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc201.txt
Adware:Adware/SecurityToolbar Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc23\Security Toolbar.dll
Spyware:Cookie/Sandboxer Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc24.txt
Spyware:Cookie/go Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc242.txt
Spyware:Cookie/Mediaplex Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc300.txt
Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc377.txt
Spyware:Cookie/Searchportal Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc397.txt
Spyware:Cookie/Tribalfusion Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc460.txt
Spyware:Cookie/Versiontracker Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc464.txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc587.txt
Spyware:Cookie/Spyfalcon Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc641.txt
Spyware:Cookie/Xiti Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc680.txt
Spyware:Cookie/YieldManager Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc71.txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\RECYCLER\S-1-5-21-1960408961-706699826-1417001333-1004\Dc86.txt




SmitFraud Fix:

SmitFraudFix v2.27

Scan done at 13:15:31.53, Mon 04/03/2006
Run from C:\Documents and Settings\Jeremy\Desktop\security\SmiFraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ncompat.tlb FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jeremy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jeremy\Favorites

C:\Documents and Settings\Jeremy\Favorites\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 AM

Posted 03 April 2006 - 01:13 PM

Hi Movado,

Thank you for the logs. Let's continue.

Just curious. Did you set your start page to the following yourself?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.njtoys-n-things.com/phpmyvisites/login.php

========================================================

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
========================================================

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

========================================================

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

========================================================

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.

========================================================

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

========================================================
Please scan with Panda one more time and save the log.

========================================================

Please post:
  • c:\rapport.txt
  • Ewido log
  • Panda Scan results
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

#10 movado

movado
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 April 2006 - 01:28 PM

yes thats my we site's stats entrance page

#11 movado

movado
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 April 2006 - 01:38 PM

I can no longer print it says directory service no longer available. Itried shutting down zone alarm and edwido but still cannot print

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 AM

Posted 03 April 2006 - 01:41 PM

In that case, copy and paste it onto a Notepad and save it somewhere you can easily access.

#13 movado

movado
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 April 2006 - 01:46 PM

But how do I get my printer to work again it say printer spooler service not running so I went to services and restarded the printer spooler and set it to automatic but it still wont work. In the mean time I will continue on with what you have asked.

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 AM

Posted 03 April 2006 - 01:48 PM

We better get the malware issue out of the way first. We'll deal with the printer later.

#15 movado

movado
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 April 2006 - 03:30 PM

OK here aare the new logs:

Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:38:14 PM, 4/3/2006
+ Report-Checksum: 7529E11

+ Scan result:

:mozilla.10:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.13:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.25:C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\j9zq8yyu.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup


::Report End



SmitFraud:

SmitFraudFix v2.27

Scan done at 14:48:50.15, Mon 04/03/2006
Run from C:\Documents and Settings\Jeremy\Desktop\security\SmiFraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\Documents and Settings\Jeremy\Favorites\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End



Panda:

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\admin\Cookies\admin@apmebf[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\admin\Cookies\admin@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@belnk[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\admin\Cookies\admin@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\admin\Cookies\admin@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@dist.belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\admin\Cookies\admin@gostats[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\admin\Cookies\admin@go[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\SmiFraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\SmiFraudFix\SmitfraudFix.zip[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\SmitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\SmitRem\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\security\Spy Falcon Removal\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users