Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarewipe


  • Please log in to reply
11 replies to this topic

#1 jakespass

jakespass

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 12 April 2006 - 04:59 PM

The bogus web page makes a false statement that computer is infected.

I have run Adware, Spybot, Norton Antivirus, MSN, dumped tempfiles, etc, etc, etc, etc,... to no avail. Any guidance would be greatly appreciated.

Thanks,

Bob Jacobs
=======================================================================
Hijack logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:22:53 PM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\AOL\1127834521\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
C:\Program Files\Common Files\XCPCSync\Translators\MSWinCE2\AutoDetect.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft Office\Office\Msoffice.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\OPLIMIT\ocrawr32.exe
c:\program files\common files\aol\1127834521\ee\services\antiSpywareApp\ver2_0_25_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127834521\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Documents and Settings\Robert Jacobs\Desktop\HijackThis.exe
C:\Program Files\America Online 9.0b\shellmon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchwww.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hp60C4.tmp
O2 - BHO: Norton Personal Firewall 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Norton Personal Firewall 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127834521\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AnySync Technology - PocketPC] C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
O4 - HKLM\..\Run: [AnySync Technology - MSWinCE2] C:\Program Files\Common Files\XCPCSync\Translators\MSWinCE2\AutoDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRA~1\ADVANC~1\POPUPJ~1\JAMMER.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to White List - C:\PROGRA~1\ADVANC~1\POPUPJ~1\addtolist.js
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Delete from White List - C:\PROGRA~1\ADVANC~1\POPUPJ~1\delfromlist.js
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .adp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17df184a4b07648c0603/...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A3C569A-059D-4E5C-8505-815773AD02DA} (FreeMedia Control) - http://66.28.33.112/media.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127917379426
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://clients.automatedmarketingsolutions...tivexviewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {D3E12F51-0795-11D2-91CC-00C04FA31C90} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v6//ticker.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://solutions.webex.com/client/v_mywebe...ort/ieatgpc.cab
O16 - DPF: {E2739AFF-FA40-4527-9A19-DE81795C2C03} (MSN Money Ticker) - http://moneycentral.msn.com/cabs/ticker.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 12 April 2006 - 05:21 PM

Please print these instructions, or copy them to Notepad and save them to your Desktop so you can refer to them easily. You will be in Safemode for part of this fix, so you will not have internet access.

Download
smitRem.exe and save the file to your desktop.
Alternate links if that one is not working:
smitRem.exe
smitRem.exe

Double-click on the SmitRem.exe file. You will now see a screen.
Click on the Start button and the program will start extracting the files into a folder on your desktop called SmitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called SmitRem.. Do not run it yet. We will do this later in Safmode.

Please download Ewido Security Suite trial version.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch Ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates. Do NOT run a scan yet.

Next, please reboot your computer into Safemode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safemode.

Perform the following steps in Safemode:

Go to Add/Remove programs and uninstall Malware Wipe if it is there. Do not restart your computer if it asks you to do so.

Then search for and DELETE the specified file(s)/folder(s) IF PRESENT:

C:\Program Files\Malware Wipe <--folder

Double-click on SmitRem's RunThis.bat file to start the tool.
When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.

If there is an uninstaller present for an infection that SmitRem removes it will start this uninstaller.

Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and SmitRem will prompt you to continue. Now you should press any key to continue.

When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When SmitRem has finished running it will automatically start the Disk Cleanup program.

This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop.

When the tool is finished, it will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:
  • Then select "Settings"
  • Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
  • Select "OK" and you will return to scanning options.
  • Click on Complete System Scan and the scan will begin.

    This scan can take quite a while to run, so please be patient .
  • While the scan is in progress, you will be prompted to clean the first infected file it finds.
  • Choose Clean.
  • Then put a check next to 'Perform action on all infections' . Doing this, enables the scan to proceed automatically until its completion. Click OK
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. The best place to save it would probably be your Desktop.
Close Ewido

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" or "Desktop Uninstall" if present.

* Reboot into Normal mode.

Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • Please post that report in your next reply. Simply open the text file, then copy/paste the content here. Also, please include a fresh HJT log, your Ewido report, and your Smitrem log (which resides here: C:\smitfiles.txt.)

Steven

#3 jakespass

jakespass
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 13 April 2006 - 12:08 PM

Dahli, thank you for your assistance and guidance with my problem with Malwarewipe. I followed your instructions and "scrubbed" my computer using the software your recommended. All is well. Ewido found and corrected 201 infections. Again, thank you for your able assistance.

#4 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 13 April 2006 - 12:16 PM

That is good to hear. I still would like to see the logs if possible - they may indicate other infections. It may take a couple of posts to post all the information.
Steven

#5 jakespass

jakespass
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 13 April 2006 - 09:06 PM

Steven, I will post the logs for you in the AM on Friday, 4-14. Again, thanks for your help.

Bob

#6 rogerwillco

rogerwillco

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 14 April 2006 - 01:16 AM

Question - I have the same issue. This is on my work computer. When I try to log back on and put into safe mode, I have to put in my work passwork and login name and then it says it won't work. Any way around this? PLEASE HELP.

#7 jakespass

jakespass
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 14 April 2006 - 09:44 AM

Steven, here are copies of the 3 logs that you requested.

Active Scan


Incident Status Location

Adware:adware/emediacodec Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Online Security Guide.url
Adware:adware/gator Not disinfected C:\GatorPatch.log
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Robert Jacobs\Application Data\Lycos
Adware:adware/cws Not disinfected Windows Registry
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kount[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@2o7[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@belnk[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@rightmedia[1].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@teensforcash[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ath.belnk[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kinghost[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kinghost[4].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[4].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@azjmp[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ccbill[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ct.360i[1].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@c.fsx[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[2].txt
Spyware:Cookie/Bettersearch Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@index[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@rightmedia[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@dist.belnk[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@dist.belnk[2].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@teensforcash[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ccbill[3].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@c.fsx[4].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@c.fsx[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kount[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@go[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@image.checkmystats.com[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@banner[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ct.360i[3].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@spywarestormer[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kinghost[3].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@errorguard[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@did-it[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@adultfriendfinder[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@42633854[1].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@www.seeq[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@www48.seeq[1].txt
Spyware:Cookie/Socalcoeds Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@socalcoeds[2].txt
Spyware:Cookie/GangbangSquad Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@gangbangsquad[2].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@teensforcash[4].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ccbill[4].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[3].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@toplist[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@adultfriendfinder[4].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@webpower[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@belnk[3].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@dist.belnk[4].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ath.belnk[3].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@xiti[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@entrepreneur[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kinghost[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@azjmp[3].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@c.fsx[5].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ccbill[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@toplist[2].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@www48.seeq[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[5].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ct.360i[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@xiti[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@searchportal.information[2].txt
Adware:Adware/SearchMall Not disinfected C:\install.cab
Adware:Adware/SearchMall Not disinfected C:\install.cab[winsrm32.dll]
Virus:Exploit/Codebase.AC Not disinfected C:\install.htm
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\All Users\Documents\AOL Downloads\America Online 9.0\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Robert Jacobs\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Robert Jacobs\Desktop\smitRem\Process.exe
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kount[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@2o7[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@belnk[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@rightmedia[1].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@teensforcash[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ath.belnk[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kinghost[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kinghost[4].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[4].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@azjmp[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ccbill[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ct.360i[1].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@c.fsx[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[2].txt
Spyware:Cookie/Bettersearch Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@index[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@rightmedia[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@dist.belnk[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@dist.belnk[2].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@teensforcash[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ccbill[3].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@c.fsx[4].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@c.fsx[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kount[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@go[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@image.checkmystats.com[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@banner[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ct.360i[3].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@spywarestormer[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kinghost[3].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@errorguard[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@did-it[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@adultfriendfinder[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@42633854[1].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@www.seeq[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@www48.seeq[1].txt
Spyware:Cookie/Socalcoeds Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@socalcoeds[2].txt
Spyware:Cookie/GangbangSquad Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@gangbangsquad[2].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@teensforcash[4].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ccbill[4].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[3].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@toplist[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@adultfriendfinder[4].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@webpower[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@belnk[3].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@dist.belnk[4].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ath.belnk[3].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@xiti[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@entrepreneur[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@kinghost[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@azjmp[3].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@c.fsx[5].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ccbill[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@toplist[2].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@www48.seeq[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@atwola[5].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@ct.360i[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@xiti[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Robert Jacobs\Cookies\robert jacobs@searchportal.information[2].txt
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Robert Jacobs\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv627.jar-1d022690-66934cbd.zip[Matrix.class]
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem\Process.exe
Smitem Log


smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 04/12/2006
The current time is: 16:04:08.60

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

Ewido Log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:32:42 PM, 4/12/2006
+ Report-Checksum: DDDF5CF4

+ Scan result:

C:\WINDOWS\SYSTEM32\dfrgsrv.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\interf.tlb -> Trojan.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ieatgpc.dll -> Adware.WebEx : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01096282.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01096532.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01097308.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01097615.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01099547.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01099787.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01100033.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01100450.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01100776.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01101040.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01104057.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01104312.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01104603.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01090765.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01091016.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01091268.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01091534.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01091773.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01092019.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01092267.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01092510.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01092773.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01093011.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01094240.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01094988.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01095235.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01095746.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01097866.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01093257.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01094484.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01094730.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01095493.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01096002.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01098130.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01097024.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01098389.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01098685.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01098956.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01099230.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01101336.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01101611.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLED\NPROTECT\01103574.CAB/winsrm32.dll -> Adware.Ilookup : Error during cleaning
C:\RECYCLED\NPROTECT\01103747.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP72\A0046885.exe -> Downloader.Zlob.kv : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP73\A0049989.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP74\A0050014.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP74\A0050015.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP74\A0050021.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP74\A0050032.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP74\A0050069.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP74\A0050073.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050089.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050098.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050100.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050102.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050894.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050911.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050914.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050918.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050919.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050920.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP75\A0050923.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP76\A0050940.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP76\A0051869.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP76\A0051872.exe -> Downloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{327E1313-1AD7-4C6C-9541-7CA9C9692ECB}\RP76\A0051877.exe -> Downloader.Sm

#8 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 16 April 2006 - 06:27 PM

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.


In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Reboot in SAFE MODE (Tap F8 during startup)

Delete the following:

C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Online Security Guide.url
C:\GatorPatch.log
C:\install.htm

Reboot in Normal Mode

Post a new HijackThis log.
Steven

#9 jakespass

jakespass
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 17 April 2006 - 01:52 PM

Seven, I used CCleaner. Attached below is the latest HJT log:
===========================================================

StLogfile of HijackThis v1.99.1
Scan saved at 11:45:10 AM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\AOL\1127834521\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft Office\Office\Msoffice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\common files\aol\1127834521\ee\services\antiSpywareApp\ver2_0_25_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127834521\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Robert Jacobs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.godaddy.com/gdshop/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchwww.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpBF4F.tmp (file missing)
O2 - BHO: Norton Personal Firewall 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Norton Personal Firewall 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127834521\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AnySync Technology - PocketPC] C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
O4 - HKLM\..\Run: [AnySync Technology - MSWinCE2] C:\Program Files\Common Files\XCPCSync\Translators\MSWinCE2\AutoDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRA~1\ADVANC~1\POPUPJ~1\JAMMER.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to White List - C:\PROGRA~1\ADVANC~1\POPUPJ~1\addtolist.js
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Delete from White List - C:\PROGRA~1\ADVANC~1\POPUPJ~1\delfromlist.js
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .adp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17df184a4b07648c0603/...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A3C569A-059D-4E5C-8505-815773AD02DA} (FreeMedia Control) - http://66.28.33.112/media.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127917379426
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://clients.automatedmarketingsolutions...tivexviewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {D3E12F51-0795-11D2-91CC-00C04FA31C90} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v6//ticker.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://solutions.webex.com/client/v_mywebe...ort/ieatgpc.cab
O16 - DPF: {E2739AFF-FA40-4527-9A19-DE81795C2C03} (MSN Money Ticker) - http://moneycentral.msn.com/cabs/ticker.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 17 April 2006 - 02:03 PM

Run HijackThis and check the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchwww.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpBF4F.tmp (file missing)

Click FIX CHECKED

Go here and run a Bitdefender Online Scan. Save the log it creats and post that along with a new HijackThis log. This scan may take a while to complete.
Steven

#11 jakespass

jakespass
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 17 April 2006 - 02:32 PM

Run HijackThis and check the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchwww.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpBF4F.tmp (file missing)

Click FIX CHECKED

Go here and run a Bitdefender Online Scan. Save the log it creats and post that along with a new HijackThis log. This scan may take a while to complete.


Steven, I fixed the 4 items noted in the Hijack Log. However, I am not able to run the Bitdefender online scan. When I attempt to run it from the web site you linked in the e-mail, I get the following error message..."website is not authorized to host ActiveX Conrol". There is a note that says to notify Bitdefender, and it lists an e-mail address. Do you have a workaround, or should I contact the Bitdfender people at the e-mail listed? Your thoughts?

#12 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 17 April 2006 - 02:41 PM

You can contact them or just run another Panda Activescan and post the log.
Steven




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users