Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Popups After Using Preparation Guide


  • This topic is locked This topic is locked
9 replies to this topic

#1 joe6w

joe6w

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 08 April 2006 - 04:43 PM

I have not been successful in removing something that continues to cause persistent popups when connected to the Internet. I have followed the preparation guide and it still occurs. Using hijackthis I have the attached the log file. Any assistance would be appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 4:00:08 PM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\win32075321220700.exe
C:\WINDOWS\sys030700532122.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [E2E2E4E6E9E5E6EEE] 0C0C0E10130F101.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [win32075321220700] C:\WINDOWS\win32075321220700.exe
O4 - HKLM\..\Run: [sys030700532122] C:\WINDOWS\sys030700532122.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://maps.mobile-county.net/taxmaps/acgm/acgm.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:07 PM

Posted 08 April 2006 - 05:25 PM

Click here to download ewido anti-malware - it is a trial version of the program.
  • Install ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen.
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Rescan with HJT and post a new log here together with the ewido log so that any remnants can be removed manually.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 joe6w

joe6w
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 08 April 2006 - 09:03 PM

Thanks Daemon. New HJT log follows. By the way, computer seems to be behaving itself for now.

Logfile of HijackThis v1.99.1
Scan saved at 8:52:25 PM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\win32075321220700.exe
C:\WINDOWS\sys030700532122.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [E2E2E4E6E9E5E6EEE] 0C0C0E10130F101.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [win32075321220700] C:\WINDOWS\win32075321220700.exe
O4 - HKLM\..\Run: [sys030700532122] C:\WINDOWS\sys030700532122.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://maps.mobile-county.net/taxmaps/acgm/acgm.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


ewido log is as follows:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:51:34 PM, 4/8/2006
+ Report-Checksum: 1DD5D596

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKU\S-1-5-21-2165517387-661858647-2210005112-1005\Software\DelFin -> Adware.Delfin : Cleaned with backup
HKU\S-1-5-21-2165517387-661858647-2210005112-1005\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup
HKU\S-1-5-21-2165517387-661858647-2210005112-1005\Software\DNS -> Adware.Shorty : Cleaned with backup
[364] C:\WINDOWS\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
[1700] C:\Program Files\Network\ipnetwork.exe -> Adware.Maxifiles : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\dale shaw\Cookies\dale shaw@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\dale shaw\Local Settings\Temp\B3DB.tmp/slk8x2peu.exe -> Adware.Suggestor : Error during cleaning
C:\Documents and Settings\dale shaw\Local Settings\Temp\B3DB.tmp/faotvpap7.exe -> Trojan.Runner.h : Error during cleaning
C:\Documents and Settings\dale shaw\Local Settings\Temp\Cookies\dale shaw@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\dale shaw\Local Settings\Temp\Cookies\dale shaw@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\dale shaw\Local Settings\Temp\gokm.exe -> Downloader.Agent.afi : Cleaned with backup
C:\Documents and Settings\dale shaw\My Documents\The Learning Company\dialer.exe -> Dialer.SexProvider : Cleaned with backup
C:\Documents and Settings\dale shaw\My Documents\The Learning Company\stuff.exe -> Dialer.SexProvider : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\spencer shaw\Cookies\spencer shaw@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\spencer shaw\Cookies\spencer shaw@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\spencer shaw\Cookies\spencer shaw@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\spencer shaw\Local Settings\Temp\Cookies\spencer shaw@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\spencer shaw\Local Settings\Temp\Cookies\spencer shaw@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\spencer shaw\Local Settings\Temp\Cookies\spencer shaw@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.10:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.11:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.13:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.17:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.18:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.36:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.37:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.43:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.44:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.45:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.46:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.47:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.48:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.49:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.55:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.57:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.58:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.59:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.62:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.66:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.78:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.84:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.89:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.92:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.93:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.95:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.96:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.103:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.104:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Brilliantdigital : Cleaned with backup
:mozilla.113:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.114:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.116:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.139:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.140:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Counted : Cleaned with backup
:mozilla.141:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.142:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.143:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.144:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.145:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.154:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.166:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.167:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.174:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.186:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.187:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.193:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.199:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.200:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.207:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.210:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.211:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.213:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Porngraph : Cleaned with backup
:mozilla.214:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.215:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.217:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.223:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Porngraph : Cleaned with backup
:mozilla.226:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.230:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.231:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.237:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.238:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.240:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.241:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.242:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.247:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.250:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.251:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.263:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.264:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.265:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.266:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.267:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.270:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.271:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.272:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.273:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dshaw226\yyt041bt.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.6:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Specificpop : Cleaned with backup
:mozilla.8:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.9:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Specificpop : Cleaned with backup
:mozilla.12:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.13:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.17:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.18:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.19:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.20:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.21:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.22:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Ad-logics : Cleaned with backup
:mozilla.23:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Ad-logics : Cleaned with backup
:mozilla.24:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Ad-logics : Cleaned with backup
:mozilla.25:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.26:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.32:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.33:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.37:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.38:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.40:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.43:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.44:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.51:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.52:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.53:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.54:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.57:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.60:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.72:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.73:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.76:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.77:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.78:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.90:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.91:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.92:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Sunnmoonbtch6\0ksgaupr.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.6:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Yeagabubble69\l7neu912.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.8:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Yeagabubble69\l7neu912.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.9:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Yeagabubble69\l7neu912.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.11:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Yeagabubble69\l7neu912.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.25:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Yeagabubble69\l7neu912.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.27:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Yeagabubble69\l7neu912.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.29:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Yeagabubble69\l7neu912.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20060408-114838-272.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\Program Files\Network\ipnetwork.exe -> Adware.Maxifiles : Cleaned with backup
C:\WINDOWS\system32\cv3wanv28.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\w9seq.dll -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\ѕystem32\msconfig.exe -> Adware.PurityScan : Cleaned with backup


::Report End

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:07 PM

Posted 09 April 2006 - 12:47 AM

There's still more to do. Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after pasting each one:

C:\Program Files\outlook\outlook.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\loadadv64
c:\windows\system32\rlvknlg.exe
C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\win32075321220700.exe
C:\WINDOWS\sys030700532122.exe

Click 'Exit' when done.

Using Windows Explorer, navigate to C:\!Submit and you will see the files we removed - zip them up individually and send separately to this e-mail address including a link to this thread in the body of the email.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll (file missing)
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [E2E2E4E6E9E5E6EEE] 0C0C0E10130F101.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [win32075321220700] C:\WINDOWS\win32075321220700.exe
O4 - HKLM\..\Run: [sys030700532122] C:\WINDOWS\sys030700532122.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll


Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.

Edited by Daemon, 09 April 2006 - 12:48 AM.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 joe6w

joe6w
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 09 April 2006 - 11:20 AM

Here's the next iteration from the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:18:07 AM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://maps.mobile-county.net/taxmaps/acgm/acgm.cab
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:07 PM

Posted 09 April 2006 - 11:32 AM

Have you sent the files?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:07 PM

Posted 09 April 2006 - 12:49 PM

If they are being blocked by your AV don't worry about it. The log looks better - how is it running now?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 joe6w

joe6w
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 09 April 2006 - 12:52 PM

I tried to send the files.

But...

Your message was rejected by mailcluster.zen.co.uk for the following reason:

Your message has been rejected as it appears to contain malware.
Our virus software (ClamAV) has identified it as 'Oversized.Zip'.
If you are sure the file attached to your e-mail did not contain a virus,
you can report a false positive by going to the following page:
http://www.clamav.net/sendvirus.html

The following recipients did not receive this message:

#9 joe6w

joe6w
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 09 April 2006 - 12:56 PM

Missed your last post. It seems to be running OK. The popups have ceased when using IE.
Really appreciate the help.

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:07 PM

Posted 09 April 2006 - 01:02 PM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users