Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Look2me And Other Hijackers Please Help


  • This topic is locked This topic is locked
14 replies to this topic

#1 Zachary R.

Zachary R.

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:Wallingford,Ct.U.S.A.
  • Local time:12:38 AM

Posted 12 April 2006 - 12:01 AM

I am having a hell of a time trying to kill this hijacker.Any help would be greatly appreciated. I have tried multiple scanning tools and come just short of getting rid of it.I believe the main one is called look2me,at least that is what spyware Dr. said it was.

Here is my hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 12:29:40 AM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\system32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\windows\system32\taskmgr.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jsvpgpi.exe
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Adobe Barcode Control) - http://www.jud2.state.ct.us/webforms/codebase/jfbarcode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.jud2.state.ct.us/webforms/codeb...ntinstaller.cab
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\l02slaf71d2.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


Here is my spyware Dr. Log (I know it's a little raw but I wanted to give you a better look at everything)


<?xml version="1.0" encoding="ISO-8859-1" ?>

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output method="html"></xsl:output>
<log>
<generated>4/10/2006 11:47:16 PM</generated>
<logname>20060410234716</logname>
<sections>
<section name="main">
<data>
<scan>
<scanstart>4/10/2006 11:52:56 PM</scanstart>
<timestamp>4/11/2006 3:46:59 AM</timestamp>
<item>
<name>CWS.Searchx</name>
<type>general malware</type>
<location>multiple</location>
<risk>High</risk>
<description>Searchx hijacks browsers homepages, search pages and can redirect the user to various advertising web sites.</description>
<tool>genscanner.dll</tool>
</item>
<item>
<name>VX2.Look2Me</name>
<type>Advanced Infections</type>
<location>C:\WINDOWS\system32\q0psla771d.dll</location>
<risk>High</risk>
<description>VX2.Look2Me is a spyware program that monitors visited Web sites and submits the logged information to a server.</description>
<tool></tool>
</item>
<item>
<name>VX2.Look2Me</name>
<type>Advanced Infections</type>
<location>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap</location>
<risk>High</risk>
<description>VX2.Look2Me is a spyware program that monitors visited Web sites and submits the logged information to a server.</description>
<tool></tool>
</item>
<item>
<name>VX2.Look2Me</name>
<type>general malware</type>
<location>multiple</location>
<risk>High</risk>
<description>VX2.Look2Me is a spyware program that monitors visited Web sites and submits the logged information to a server.</description>
<tool>genscanner.dll</tool>
</item>
<item>
<name>VX2.Look2Me</name>
<type>Processes</type>
<location>Explorer.EXE (C:\windows\system32\VE210dec.dll)</location>
<risk>High</risk>
<description>VX2.Look2Me is a spyware program that monitors visited Web sites and submits the logged information to a server.</description>
<tool>pscanner.dll</tool>
</item>
<item>
<name>VX2.Look2Me</name>
<type>Processes</type>
<location>rundll32.exe (C:\windows\system32\guard.tmp)</location>
<risk>High</risk>
<description>VX2.Look2Me is a spyware program that monitors visited Web sites and submits the logged information to a server.</description>
<tool>pscanner.dll</tool>
</item>
<item>
<name>VX2.Look2Me</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ShellScrap##DllName</location>
<risk>High</risk>
<description>VX2.Look2Me is a spyware program that monitors visited Web sites and submits the logged information to a server.</description>
<tool>StartupScanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKCU\AppEvents\EventLabels\BearShareChatNotifyMsg</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKCU\AppEvents\EventLabels\BearShareChatNotifyMsg##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKCU\AppEvents\Schemes\Apps\BearShare</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKCU\AppEvents\Schemes\Apps\BearShare##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKCU\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKCU\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKCU\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.default</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKCU\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.default##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare##Description</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare##DdeApplication</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare##DdeTopic</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare\Type</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare\Type##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare\Type##urn:sha1</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Magnet\Handlers\Bearshare\Type##urn:bitprint</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKU\S-1-5-21-776561741-1343024091-1957994488-1003\AppEvents\EventLabels\BearShareChatNotifyMsg</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKU\S-1-5-21-776561741-1343024091-1957994488-1003\AppEvents\EventLabels\BearShareChatNotifyMsg##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKU\S-1-5-21-776561741-1343024091-1957994488-1003\AppEvents\Schemes\Apps\BearShare</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKU\S-1-5-21-776561741-1343024091-1957994488-1003\AppEvents\Schemes\Apps\BearShare##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKU\S-1-5-21-776561741-1343024091-1957994488-1003\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKU\S-1-5-21-776561741-1343024091-1957994488-1003\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKU\S-1-5-21-776561741-1343024091-1957994488-1003\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.default</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>BearShare</name>
<type>Registry</type>
<location>HKU\S-1-5-21-776561741-1343024091-1957994488-1003\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.default##</location>
<risk>Info &amp; PUAs</risk>
<description>BearShare is a file sharing network, it's free version install the adware WhenU Save! which in turn display pop-up ads.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Common Components for Trojans</name>
<type>Registry</type>
<location>HKCU\Software\System\sysuid</location>
<risk>Medium</risk>
<description>Common Components that may be used by Trojans Small, DRSN Search, Binet, Euniverse, Adrotator and Dloader among others.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Common Components for Trojans</name>
<type>Registry</type>
<location>HKCU\Software\System\sysuid##</location>
<risk>Medium</risk>
<description>Common Components that may be used by Trojans Small, DRSN Search, Binet, Euniverse, Adrotator and Dloader among others.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Common Components for Trojans</name>
<type>Registry</type>
<location>HKCU\Software\System\sysuid##uid</location>
<risk>Medium</risk>
<description>Common Components that may be used by Trojans Small, DRSN Search, Binet, Euniverse, Adrotator and Dloader among others.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE##</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE##NextInstance</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Service</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Class</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>I-Search Desktop Search Toolbar</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc</location>
<risk>Elevated</risk>
<description>The I-Search Desktop Search Toolbar will place a search box on the bottom right hand corner of the desktop. It is usually bundled with other malware and will serve various pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>InternetOptimizer</name>
<type>Registry</type>
<location>HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer</location>
<risk>High</risk>
<description>InternetOptimizer is adware which will hijack the Internet Explorer search page and 404 error page with links to various non-relevant websites. It is usually bundled with various other malware.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>InternetOptimizer</name>
<type>Registry</type>
<location>HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer##</location>
<risk>High</risk>
<description>InternetOptimizer is adware which will hijack the Internet Explorer search page and 404 error page with links to various non-relevant websites. It is usually bundled with various other malware.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>InternetOptimizer</name>
<type>Registry</type>
<location>HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer##SlowInfoCache</location>
<risk>High</risk>
<description>InternetOptimizer is adware which will hijack the Internet Explorer search page and 404 error page with links to various non-relevant websites. It is usually bundled with various other malware.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>InternetOptimizer</name>
<type>Registry</type>
<location>HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer##Changed</location>
<risk>High</risk>
<description>InternetOptimizer is adware which will hijack the Internet Explorer search page and 404 error page with links to various non-relevant websites. It is usually bundled with various other malware.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon##</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon##DisplayName</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components##</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components##Type</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components##Start</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components##ErrorControl</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components##ImagePath</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components##DisplayName</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components##ObjectName</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Security</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Security##</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Security##Security</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum##</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum##0</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum##Count</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Trojan.Downloader.VB.HW</name>
<type>Registry</type>
<location>HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum##NextInstance</location>
<risk>High</risk>
<description>Trojan.Downloader.VB.HW runs as a Windows Service (Windows Overlay Components) and in Startup to monitors user's browsing habits and produces targeted pop-up advertisements.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>WhenU.SaveNow</name>
<type>Registry</type>
<location>HKLM\software\classes\runmsc.loader</location>
<risk>Info &amp; PUAs</risk>
<description>SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>WhenU.SaveNow</name>
<type>Registry</type>
<location>HKLM\software\classes\runmsc.loader##</location>
<risk>Info &amp; PUAs</risk>
<description>SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>WhenU.SaveNow</name>
<type>Registry</type>
<location>HKLM\software\classes\runmsc.loader.1</location>
<risk>Info &amp; PUAs</risk>
<description>SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>WhenU.SaveNow</name>
<type>Registry</type>
<location>HKLM\software\classes\runmsc.loader.1##</location>
<risk>Info &amp; PUAs</risk>
<description>SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.</description>
<tool>regscanner.dll</tool>
</item>
<item>
<name>Zquest</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\HJVJ9P8A\BannerCon[1].htm</location>
<risk>Medium</risk>
<description>Zquest is an adware which displays advertisements in the form of pop-ups on your computer</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Known Bad Sites</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\3I4NRHK1\to[2].htm</location>
<risk>High</risk>
<description>Indicates that a known bad site may have hijacked. Adware, Spyware and Phishing sites may use the Windows hosts file to redirect your browser to a malicious site when you try to access a valid site such as your Bank.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Zquest</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\O1AZWHEJ\BudsPops[1].htm</location>
<risk>Medium</risk>
<description>Zquest is an adware which displays advertisements in the form of pop-ups on your computer</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Known Bad Sites</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\HJVJ9P8A\RevN720[1].htm</location>
<risk>High</risk>
<description>Indicates that a known bad site may have hijacked. Adware, Spyware and Phishing sites may use the Windows hosts file to redirect your browser to a malicious site when you try to access a valid site such as your Bank.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Known Bad Sites</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\ELW7APE1\to[1].htm</location>
<risk>High</risk>
<description>Indicates that a known bad site may have hijacked. Adware, Spyware and Phishing sites may use the Windows hosts file to redirect your browser to a malicious site when you try to access a valid site such as your Bank.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Zquest</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\HJVJ9P8A\BannerC720x300[1].htm</location>
<risk>Medium</risk>
<description>Zquest is an adware which displays advertisements in the form of pop-ups on your computer</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Zquest</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\KHGNCJ0R\budsPrep[1].htm</location>
<risk>Medium</risk>
<description>Zquest is an adware which displays advertisements in the form of pop-ups on your computer</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\HJVJ9P8A\adserverN[1].htm</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\071B2IZP\adserverN[1].htm</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\P8CNHHO5\adserverN[1].htm</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Zquest</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\ADP2VAX4\MarkSect720x300[1].htm</location>
<risk>Medium</risk>
<description>Zquest is an adware which displays advertisements in the form of pop-ups on your computer</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\HJVJ9P8A\adserverN[3].htm</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\8TA3OH67\adserverN[1].htm</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Zquest</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\HJVJ9P8A\RealCastPrep[1].htm</location>
<risk>Medium</risk>
<description>Zquest is an adware which displays advertisements in the form of pop-ups on your computer</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\KHGNCJ0R\adserverN[1].htm</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Elitemedia Pop64</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\KHGNCJ0R\prompt_shell_bttm[1].jpg</location>
<risk>High</risk>
<description>Elitemedia Pop62 is an adware program which displays pop-up advertisements even when users are not browsing the internet.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>EliteBar</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\071B2IZP\4823919904422ffbf99714[1].gif</location>
<risk>High</risk>
<description>This is a BHO Toolbar which hijacks your browser, pops up ads. Elitum EliteBar is also called SearchMiracle.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>EliteBar</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\KHGNCJ0R\rmtag3[1].js</location>
<risk>High</risk>
<description>This is a BHO Toolbar which hijacks your browser, pops up ads. Elitum EliteBar is also called SearchMiracle.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Zquest</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\P8CNHHO5\MarkSectpop[1].htm</location>
<risk>Medium</risk>
<description>Zquest is an adware which displays advertisements in the form of pop-ups on your computer</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\S92ZG7E5\browser[1].js</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\KHGNCJ0R\topright[1].gif</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\4XAZGPIJ\topleft[1].gif</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\0XEB01YR\png[1].js</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\4XAZGPIJ\invisible[1].gif</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Temporary Internet Files</type>
<location>C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Content.IE5\P8CNHHO5\bottomleft[1].gif</location>
<risk>High</risk>
<description>Pop Marketing is adware which will contact various servers including searchingbooth.com and adpowerzone.com to display multiple pop-up advertisements.</description>
<tool>BAScanner.dll</tool>
</item>
<item>
<name>Pop Marketing</name>
<type>Tempo
"We, the willing, led by the knowing are doing the impossible for the ungrateful. We have done so much, with so little, for so long that we are now qualified to do anything with nothing."

BC AdBot (Login to Remove)

 


m

#2 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:12:38 PM

Posted 12 April 2006 - 12:27 AM

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#3 Zachary R.

Zachary R.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:Wallingford,Ct.U.S.A.
  • Local time:12:38 AM

Posted 12 April 2006 - 01:11 AM

Here is my Hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 2:06:38 AM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\windows\System32\alg.exe
C:\windows\system32\taskmgr.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jsvpgpi.exe
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Adobe Barcode Control) - http://www.jud2.state.ct.us/webforms/codebase/jfbarcode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.jud2.state.ct.us/webforms/codeb...ntinstaller.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

And here is my look2me Destroyer log:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/12/2006 1:41:03 AM

Infected! C:\WINDOWS\system32\l02slaf71d2.dll
Infected! C:\WINDOWS\system32\dostyle.dll
Infected! C:\WINDOWS\system32\dpband.dll
Infected! C:\WINDOWS\system32\en86l1ls1.dll
Infected! C:\WINDOWS\system32\enlul1391.dll
Infected! C:\WINDOWS\system32\fse.dll
Infected! C:\WINDOWS\system32\hrlu0539e.dll
Infected! C:\WINDOWS\system32\ir2ol5f31.dll
Infected! C:\WINDOWS\system32\ir44l5hq1.dll
Infected! C:\WINDOWS\system32\k044lahq1d4e.dll
Infected! C:\WINDOWS\system32\k4620ejoehoc0.dll
Infected! C:\WINDOWS\system32\l02slaf71d2.dll
Infected! C:\WINDOWS\system32\l06olaj31do.dll
Infected! C:\WINDOWS\system32\lv4409hqe.dll
Infected! C:\WINDOWS\system32\morui.dll
Infected! C:\WINDOWS\system32\mvl8l93u1.dll
Infected! C:\WINDOWS\system32\n4l80e3ueh.dll
Infected! C:\WINDOWS\system32\u6rulg9916.dll
Infected! C:\WINDOWS\system32\wpspdmoe.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\l02slaf71d2.dll
C:\WINDOWS\system32\l02slaf71d2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dostyle.dll
C:\WINDOWS\system32\dostyle.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dpband.dll
C:\WINDOWS\system32\dpband.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en86l1ls1.dll
C:\WINDOWS\system32\en86l1ls1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enlul1391.dll
C:\WINDOWS\system32\enlul1391.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fse.dll
C:\WINDOWS\system32\fse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrlu0539e.dll
C:\WINDOWS\system32\hrlu0539e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir2ol5f31.dll
C:\WINDOWS\system32\ir2ol5f31.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir44l5hq1.dll
C:\WINDOWS\system32\ir44l5hq1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k044lahq1d4e.dll
C:\WINDOWS\system32\k044lahq1d4e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k4620ejoehoc0.dll
C:\WINDOWS\system32\k4620ejoehoc0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l02slaf71d2.dll
C:\WINDOWS\system32\l02slaf71d2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l06olaj31do.dll
C:\WINDOWS\system32\l06olaj31do.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv4409hqe.dll
C:\WINDOWS\system32\lv4409hqe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\morui.dll
C:\WINDOWS\system32\morui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvl8l93u1.dll
C:\WINDOWS\system32\mvl8l93u1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n4l80e3ueh.dll
C:\WINDOWS\system32\n4l80e3ueh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\u6rulg9916.dll
C:\WINDOWS\system32\u6rulg9916.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wpspdmoe.dll
C:\WINDOWS\system32\wpspdmoe.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5C21134C-A747-4110-AEAA-BC58E5D31FFC}"
HKCR\Clsid\{5C21134C-A747-4110-AEAA-BC58E5D31FFC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EECC1D34-B06D-459A-B021-FDC644E0FC92}"
HKCR\Clsid\{EECC1D34-B06D-459A-B021-FDC644E0FC92}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{254572FF-316A-42B2-91BE-C3E743C4967F}"
HKCR\Clsid\{254572FF-316A-42B2-91BE-C3E743C4967F}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Hows it look.I will be returning to using only a couple of the adware removal tools.Which one or ones should I get or keep.I prefer free ones.thank you,Zac
"We, the willing, led by the knowing are doing the impossible for the ungrateful. We have done so much, with so little, for so long that we are now qualified to do anything with nothing."

#4 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:12:38 PM

Posted 12 April 2006 - 02:48 AM

Hi Zachary,

I'll give you my recommendations after we finish Posted Image I have a feeling that you have a Qoologic infection, so let's start.

Please follow the instructions provided, you may want to print out these instructions or save it as a text document, and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. Please make sure that you follow this in the right order as I have listed.

=====================================

Download Ewido Anti-Malware
  • Install Ewido.
  • When installing, under Additional Options, uncheck:
    • Install background guard
    • Install scan via context menu
  • Launch Ewido.
  • The program will now open the main screen.
  • You will need to update ewido to the latest definition files
    • On the left hand side of the main screen click update.
    • Then click on the Start Update button.
  • The update will start and a progress bar will show the updates being installed.
  • After it has finished, close Ewido, we will use it later.
  • If you are having problems with the updater, you can use this link to manually update ewido Ewido manual updates.
Download Track qoo (TQ.zip)
  • Save it to your Desktop
  • Do not run it yet.
=====================================

Disable Spyware Doctor
  • Open Spyware Doctor.
  • Click the OnGuard button on the left side.
  • Uncheck Activate OnGuard.
=====================================

Boot into Safe Mode. Please restart your computer and as soon as it starts to boot, tap F8 repeatedly. A menu should appear, select Safe Mode from the menu and then hit Enter on your keyboard. (this will take a while, so don't worry, just wait)

=====================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jsvpgpi.exe


After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Run Cleanmgr
  • Go to Start Run type: cleanmgr OK
  • Choose (C:) and then click OK
  • Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
=====================================

Run Ewido
  • Open Ewido.
  • Click on scanner at the left side, then click on Complete System Scan.
    • Please don't use the computer while scanning
    • Sometimes Ewido reports legit files as malware, so you need to Remove these one-by-one, if you see a legit file being reported, just select None.
  • Once the scan has completed, click the button located on the bottom of the screen named Save report.
  • Save the report as .txt file to your Desktop.
  • Close Ewido.
=====================================

Restart your computer

=====================================

Double click on the Trackqoo.zip file you saved. From within the zip folder, doubleclick on 'Track qoo.vbs'

Note - If you have an anti-virus program that has script blocking features, you will get a pop up window asking you what to do. Allow this entire script to run. It's harmless.

Wait a few seconds and Notepad will pop up. Copy & Paste those results and place them in the next post.

=====================================

Post Logs

In your next reply, please include these log(s):
  • HijackThis (new)
  • Traq qoo's results
  • Ewido
Please also provide details of any problems you encountered while performing the above steps and update us on how the computer behaves now.

Edited by Jag11, 12 April 2006 - 02:50 AM.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#5 Zachary R.

Zachary R.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:Wallingford,Ct.U.S.A.
  • Local time:12:38 AM

Posted 12 April 2006 - 03:09 PM

Here are two of the three reports you wanted for some reason Trackqoo.vbs didn't report back.I recieved no popup windows.I hope you know what that's all about.


Logfile of HijackThis v1.99.1
Scan saved at 3:43:25 PM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Adobe Barcode Control) - http://www.jud2.state.ct.us/webforms/codebase/jfbarcode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.jud2.state.ct.us/webforms/codeb...ntinstaller.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:15:14 PM, 4/12/2006
+ Report-Checksum: FEA2D0F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Weborama : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.309:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.310:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.313:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.354:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.424:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.459:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.466:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.472:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.477:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.481:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.534:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.535:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.536:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.537:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.556:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.562:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.597:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.598:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.600:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.601:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.603:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.604:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.605:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.609:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.620:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.623:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.624:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.625:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.626:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.627:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.638:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.639:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.640:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.649:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.650:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.651:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.654:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.655:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.656:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.657:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.658:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.659:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.660:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.661:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.662:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.682:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.683:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.684:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.685:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.706:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.707:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.708:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.709:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.710:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.711:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.712:C:\Documents and Settings\Zac.INSPIRON\Application Data\Mozilla\Firefox\Profiles\ylqkf08g.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temp\i6.tmp -> Adware.SurfSide : Cleaned with backup
C:\Program Files\WinASO\Registry Optimizer 1.5\backup.txt -> Trojan.Disabler.c : Cleaned with backup
C:\Program Files\WinASO\Registry Optimizer 1.zip/Registry Optimizer 1.5/backup.txt -> Trojan.Disabler.c : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> TrackingCookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Valueclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> TrackingCookie.Valueclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> TrackingCookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp -> TrackingCookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> TrackingCookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> TrackingCookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> TrackingCookie.Adtech : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> TrackingCookie.Hitslink : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> Adware.WinAD : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp -> TrackingCookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> TrackingCookie.Hotlog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> TrackingCookie.Spylog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> TrackingCookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.Clickbank : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp -> Adware.ZenoSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp -> TrackingCookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp -> TrackingCookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp -> TrackingCookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> TrackingCookie.Goldenpalace : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAC.tmp -> TrackingCookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAF.tmp -> TrackingCookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB.tmp -> TrackingCookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB0.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB1.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB2.tmp -> TrackingCookie.Hitslink : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB3.tmp -> TrackingCookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB4.tmp -> TrackingCookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB5.tmp -> TrackingCookie.Onestat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> TrackingCookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp -> TrackingCookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp -> TrackingCookie.Fastclick : Cleaned with backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49IFCP6R\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AVO76RYJ\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\system32\rwinmrag.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End
"We, the willing, led by the knowing are doing the impossible for the ungrateful. We have done so much, with so little, for so long that we are now qualified to do anything with nothing."

#6 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:12:38 PM

Posted 12 April 2006 - 08:54 PM

Thanks for the logs.

About the Trackqoo.vbs, try to Unzip it first to your Desktop, and then double-click on it. It should make a file on your Desktop named Report, it's a text file. Post that if you found it.

Also, do you use PartyPoker?

Your log is clean, and Ewido didn't detect Qoologic, I'll just wait for Trackqoo's results to confirm that. We can have one last scan to make sure you're already clean -

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan. (use Internet Explorer)
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Once finished, click see report, then click Save report.
NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Post the results (Panda) and a new HJT log. And Trackqoo's results if any.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#7 Zachary R.

Zachary R.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:Wallingford,Ct.U.S.A.
  • Local time:12:38 AM

Posted 12 April 2006 - 11:46 PM

Here are two logs.For some reason that trackqoo.vbs didn't return with anything to send you sorry.Is there something I might need to turn on or enable so that would work?thanks,ZAC



Logfile of HijackThis v1.99.1
Scan saved at 12:42:51 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Adobe Barcode Control) - http://www.jud2.state.ct.us/webforms/codebase/jfbarcode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.jud2.state.ct.us/webforms/codeb...ntinstaller.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe






Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@atdmt[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@BassMan[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@questionmarket[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Zac.INSPIRON\Cookies\zac@zedo[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Zac.INSPIRON\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\teller2.chk
Adware:adware/look2me Not disinfected C:\WINDOWS\Temp\bw2.com
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.txt
Adware:Adware/CommAd Not disinfected C:\WINDOWS\WmFjIFJpYmVyYQ\qAI3KILDsApVsk.vbs
"We, the willing, led by the knowing are doing the impossible for the ungrateful. We have done so much, with so little, for so long that we are now qualified to do anything with nothing."

#8 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:12:38 PM

Posted 13 April 2006 - 07:12 AM

Ok. I don't see any sign of Qoologic now, but just to be sure, let's try another tool.

Download FindQool http://downloads.subratam.org/Lon/FindQool.zip
* Extract the files and place the FindQool folder in root. Usually C:\
* Open the folder and run Qlocate.bat.
* Post the contents of the txt.log which will open.


Download and run Blacklight

*Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log.

=====================================

Show Hidden Files and Folders

Click Start My Computer Tools Folder Options. Select the View tab.
  • Check - Show hidden files and folders
  • Uncheck - Hide file extensions for known types
  • Uncheck - Hide protected operating system files
Click Yes to confirm, then OK to exit.

=====================================

Boot into Safe Mode. Please restart your computer and before the Windows logo appear, tap F8 repeatedly. A menu should appear, select Safe Mode from the menu and then hit Enter on your keyboard. (this will take a while, so don't worry, just wait)

=====================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Uninstall Programs

Click Start Control Panel Add/Remove Programs, and then Uninstall these programs (if present): WinAntiVirus Pro 2006
=====================================

Click Start > Run > type: regsvr32 /u occache.dll > OK

=====================================

Delete these files -

C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
C:\WINDOWS\teller2.chk
C:\WINDOWS\Temp\bw2.com
C:\WINDOWS\uninstall_nmon.txt

Delete these folders -

C:\Program Files\Common Files\WinAntiVirus Pro 2006\
C:\WINDOWS\WmFjIFJpYmVyYQ\

=====================================

Click Start > Run > type: regsvr32 occache.dll > OK

=====================================

Run Cleanmgr
  • Go to Start Run type: cleanmgr OK
  • Choose (C:) and then click OK
  • Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
=====================================

Restart your computer

=====================================

Post Logs

In your next reply, please include these log(s):
  • HijackThis (new)
  • FindQool
  • BlackLight
Please also provide details of any problems you encountered while performing the above steps and update us on how the computer behaves now.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#9 Zachary R.

Zachary R.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:Wallingford,Ct.U.S.A.
  • Local time:12:38 AM

Posted 14 April 2006 - 12:42 AM

Here are the Logs you requested I hope everything looks ok.I had no problem that time.

Logfile of HijackThis v1.99.1
Scan saved at 1:34:57 AM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\windows\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Adobe Barcode Control) - http://www.jud2.state.ct.us/webforms/codebase/jfbarcode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.jud2.state.ct.us/webforms/codeb...ntinstaller.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

My FindQool Log:

Thu 04/13/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
...

HKEY_LOCAL_MACHINE\software\qstat
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\windows\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman 2005
Findqool edited 4/05/2006



BlackLight Log:


04/13/06 13:15:15 [Info]: BlackLight Engine 1.0.35 initialized
04/13/06 13:15:15 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/13/06 13:15:19 [Note]: 7019 4
04/13/06 13:15:19 [Note]: 7005 0
04/13/06 13:15:28 [Note]: 7006 0
04/13/06 13:15:29 [Note]: 7011 1756
04/13/06 13:15:30 [Note]: 7026 0
04/13/06 13:15:30 [Note]: 7026 0
04/13/06 13:15:34 [Note]: FSRAW library version 1.7.1015
04/13/06 13:17:20 [Note]: 7007 0


Thank you.You've been a great help.Anything else?
"We, the willing, led by the knowing are doing the impossible for the ungrateful. We have done so much, with so little, for so long that we are now qualified to do anything with nothing."

#10 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:12:38 PM

Posted 14 April 2006 - 01:56 AM

We're almost finish.

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixME.reg. Please save it on your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\qstat]

[-HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}]

Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.

=====================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Run Qlocate.bat again.
* Post the contents of the txt.log which will open.

Post that and a new HJT log.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#11 Zachary R.

Zachary R.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:Wallingford,Ct.U.S.A.
  • Local time:12:38 AM

Posted 14 April 2006 - 11:21 AM

:thumbsup:
I would like to tell you first that the help you are giving me is excellent and yet again thank you.here are the logs.


Logfile of HijackThis v1.99.1
Scan saved at 12:07:33 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Adobe Barcode Control) - http://www.jud2.state.ct.us/webforms/codebase/jfbarcode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.jud2.state.ct.us/webforms/codeb...ntinstaller.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe



Fri 04/14/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
...


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\windows\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman 2005
Findqool edited 4/05/2006
"We, the willing, led by the knowing are doing the impossible for the ungrateful. We have done so much, with so little, for so long that we are now qualified to do anything with nothing."

#12 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:12:38 PM

Posted 14 April 2006 - 10:47 PM

Glad we could be of assistance. :thumbsup:
Your log looks clean now, are you still having any problems?

If you still have any other problems/questions, just post them here.

Now that you're clean, please follow these simple steps in order to keep your computer clean and secure:

1.) Re-Hide System Files and Folders:
  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View tab
  • Deselect the Show hidden files and folders option
  • Select the Hide protected operating system files option
  • Click Yes to confirm
  • Click OK
2.) Reset and Re-enable your System Restore

We need to do this to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Click Start Run ( type: SYSDM.CPL ) OK
  • Click the System Restore tab.
  • Check - Turn off System Restore.
  • Click Apply.
  • Uncheck - Turn off System Restore.
  • Click OK.
3.) How to Prevent Re-Infection

Please take your time reading on this list, it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this, open Internet Explorer, then and select Tools Windows Update, and follow the online instructions from there.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Firewall (a must!) - It is definitely a must have. Two good free versions are Kerio and ZoneAlarm.
  • Anti-Virus (a must!) - It is also a must have. Two good programs are Avast and AVG, they're both free.
    Note: You must only use 1 (one) AV because if you have 2 AVs, it will conflict with each other and will only make your system slow.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Edited by Jag11, 14 April 2006 - 10:47 PM.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#13 Zachary R.

Zachary R.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:Wallingford,Ct.U.S.A.
  • Local time:12:38 AM

Posted 15 April 2006 - 02:21 AM

First I want to thank you VERY much.You saved me from an agonizing ordeal with my wife.Second, THIS WEB SITE ROCKS!!!!!! :thumbsup: Your directions where rite on and were very simple to understand.I will be donating some money.I'm going recommend this site to everyone I know.My next time you here from will hopefully be never again,realistically next time I go snooping in the wrong place.I'm nosey.Thank you again,Zac :flowers:

Edited by Zachary R., 15 April 2006 - 02:22 AM.

"We, the willing, led by the knowing are doing the impossible for the ungrateful. We have done so much, with so little, for so long that we are now qualified to do anything with nothing."

#14 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:12:38 PM

Posted 15 April 2006 - 02:34 AM

No problem Zach! I'm glad we have fixed your problems, thanks for the donations, that would really help this site going on.

Happy Surfing! :thumbsup:

Edited by Jag11, 15 April 2006 - 02:34 AM.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#15 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:12:38 PM

Posted 24 April 2006 - 07:02 AM

Since this issue appears resolved... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Jet Ian

Edited by Jag11, 24 April 2006 - 07:02 AM.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users