Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojan Infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 kdrman

kdrman

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 16 May 2006 - 05:51 PM

My computer was infected when I opened up a link in an AIM message from a friend that turned out to be a virus. Since that time I have had multiple pop-ups on Internet Explorer. Multiple viruses are found everytime I run AdAware, PCCillin, and Spybot. Removal of the problems have been unsuccessful as they come back after restart. Here is the HijackThis Log. If I can give more information please let me know. Thanks, Jason

Logfile of HijackThis v1.99.1
Scan saved at 6:43:03 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\USERINIT.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\DEFENDER19A.EXE
C:\WINDOWS\cfg32.exe
C:\WINDOWS\UKDUMJHA.exe
C:\WINDOWS\SYS101195926861.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\CCZoop05.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1125099924\EE\AOLSOFTWARE.EXE
C:\WINDOWS\cfg32a.exe
c:\defender20.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1125099924\EE\AIM6.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\simtest\sysstall.exe
C:\Documents and Settings\Carrie C\Desktop\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: (no name) - {5608A02A-60AA-45E1-810F-342F04A51234} - C:\Program Files\microsoft frontpage\mewor.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {97263FCD-F47A-8EDF-0370-8F3A872077E3} - C:\WINDOWS\system32\aqc.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [defender] c:\\defender20.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ukdumjhA] C:\WINDOWS\UKDUMJHA.exe
O4 - HKLM\..\Run: [sys101195926861] C:\WINDOWS\sys101195926861.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [newname] c:\\newname20.exe
O4 - HKLM\..\Run: [keyboard] c:\\keyboard20.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:39 PM

Posted 17 May 2006 - 02:47 AM

Hello kdrman,

Welcome to Bleeping Computer :thumbsup:

Quite a collection you have going there! :flowers:

Before beginning, you may want to save these instructions to Notepad or print them out for easier reference.

Download CWSshredder http://cwshredder.net/bin/CWShredder.exe. Close every window and disconnect from Internet. Double click the CWSshredder icon on your Desktop.
Click Fix, ok and then Next, let it fix everything it asks about.

Please download Brute Force Uninstaller.
Unzip it to itís own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do itís job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Then please run HijackThis, click Scan, and check the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: (no name) - {5608A02A-60AA-45E1-810F-342F04A51234} - C:\Program Files\microsoft frontpage\mewor.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: (no name) - {97263FCD-F47A-8EDF-0370-8F3A872077E3} - C:\WINDOWS\system32\aqc.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [defender] c:\\defender20.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ukdumjhA] C:\WINDOWS\UKDUMJHA.exe
O4 - HKLM\..\Run: [sys101195926861] C:\WINDOWS\sys101195926861.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [newname] c:\\newname20.exe
O4 - HKLM\..\Run: [keyboard] c:\\keyboard20.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe


Close all open windows and click Fix Checked.

Please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Delete the following files (if they exist):

C:\WINDOWS\cfg32p.dll
C:\Program Files\microsoft frontpage\mewor.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\system32\aqc.dll
c:\\defender20.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\UKDUMJHA.exe
C:\WINDOWS\sys101195926861.exe
C:\WINDOWS\CCZoop05.exe
c:\\newname20.exe
c:\\keyboard20.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe

Reboot your computer

Please download, install, and update the free version of Ewido Anti-Malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run Ewido for the first time, you might get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main Ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes, the status bar at the bottom will display "Update successful"
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido
In your reply, please post the log from Ewido and a new HijackThis log. Also please let me how your computer is running. The more info I have, the more I can do ! :huh:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 kdrman

kdrman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 17 May 2006 - 07:22 PM

Hi Tea,

Thanks for the help. This problem is actually on my wifes computer. you guys have helped me out before so we came here.

I did as you said but not everything worked.

CWShredder found no problems.

The R0, R1, and 02 bho cfg32s options did not come up on the HJT so i couldnt delete them.

The following could not be deleted:

C:\WINDOWS\system32\aqc.dll

b/c it was not found in the folder

c:\\defender20.exe
C:\WINDOWS\cfg32.exe

b/c it said access is denied.



Otherwise everything else went ok. The problem that she continues to have (before I did these things) were frequent pop ups. We use Firefox but the pop ups come on IE. While i was running some of these programs a few pop ups came and her anti virus found a few trojans. the one name i have seen multiple times on her cpu is something like Trojan.lookatme. Not 100% sure of that name but its something to that effect.

Anyway, here is the HJT log and the file from the Ewido (which found and fixed 196 problems, YIKES!).

As always, thank you for your help.

Jason



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:10:06 PM, 5/17/2006
+ Report-Checksum: 64FCDED6

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CLSID -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand.1 -> Adware.PowerStrip : Cleaned with backup
[232] C:\WINDOWS\USERINIT.EXE -> Backdoor.SdBot.aad : Cleaned with backup
[3036] C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup
[4032] C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup
C:\503_617.exe -> Trojan.Small : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.258:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.259:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.275:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Carrie C\Cookies\carrie c@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Carrie C\Desktop\HijackThis\backups\backup-20060517-190317-384.dll -> Adware.PurityScan : Cleaned with backup
C:\Documents and Settings\Carrie C\Desktop\HijackThis\backups\backup-20060517-190317-480.dll -> Downloader.Small.ctp : Cleaned with backup
C:\Documents and Settings\Carrie C\Desktop\HijackThis\backups\backup-20060517-190317-498.dll -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Carrie C\Local Settings\Temp\Cookies\carrie c@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Carrie C\Local Settings\Temp\Cookies\carrie c@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Carrie C\Local Settings\Temp\Cookies\carrie c@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Carrie C\Local Settings\Temp\Cookies\carrie c@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Carrie C\Local Settings\Temp\Cookies\carrie c@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Carrie C\Local Settings\Temp\picture08\picture08.pif -> Backdoor.SdBot.aad : Cleaned with backup
C:\Documents and Settings\Carrie C\Local Settings\Temp\Temporary Internet Files\Content.IE5\CLI3WXM3\WinFixerScannerInstall[1].cab/UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup
C:\Documents and Settings\Carrie C\Local Settings\Temp\Temporary Internet Files\Content.IE5\SV4RADGJ\WinFixer2005ScannerInstall[1].exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\LocalService\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0PER45U7\503_617[1].exe -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SLMN81EF\cfg32[1].exe -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SLMN81EF\drsmartload45a[1].exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SLMN81EF\drsmartload46a[1].exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SLMN81EF\drsmartload[2].exe -> Downloader.VB.abm : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SLMN81EF\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WHUJ8HEF\!update-3820[1].0000 -> Downloader.PurityScan.cl : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WHUJ8HEF\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WHUJ8HEF\mediacenter[1].no -> Downloader.Adload.bm : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WHUJ8HEF\Tagasaurus[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\drsmartload1.exe -> Downloader.VB.abm : Cleaned with backup
C:\drsmartload45a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\drsmartload46a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
C:\Program Files\EQAdvice\EQAdvice.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\PECarlin\PECarlin.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup
C:\RECYCLER\S-1-5-21-2445628531-1104999183-1561193759-1006\Dc70.dll -> Adware.BookedSpace : Cleaned with backup
C:\RECYCLER\S-1-5-21-2445628531-1104999183-1561193759-1006\Dc71.dll -> Adware.BookedSpace : Cleaned with backup
C:\RECYCLER\S-1-5-21-2445628531-1104999183-1561193759-1006\Dc72.dll -> Adware.BookedSpace : Cleaned with backup
C:\RECYCLER\S-1-5-21-2445628531-1104999183-1561193759-1006\Dc73.exe -> Hijacker.VB.ij : Cleaned with backup
C:\RECYCLER\S-1-5-21-2445628531-1104999183-1561193759-1006\Dc74.exe -> Backdoor.Small : Cleaned with backup
C:\Tagasaurus.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\system32\gebyw.dll -> Logger.Agent.hn : Cleaned with backup
C:\WINDOWS\system32\ѕуstem\cmd.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\WINDOWS\Temp\!update.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\WINDOWS\userinit.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\winntdll.pif -> Downloader.Adload.bm : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 8:11:09 PM, on 5/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1125099924\EE\AOLSOFTWARE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRAM FILES\EWIDO ANTI-MALWARE\SECURITYSUITE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\Documents and Settings\Carrie C\Desktop\HijackThis\HijackThis.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:39 PM

Posted 17 May 2006 - 11:17 PM

Hello again,

You did an excellent job! :thumbsup: This is looking SO much better already.

To address your comments :

It's all right that CWS shredder didn't find anything. It's not an all in one tool, so no big deal. :flowers:

Was it Look2Me that you saw? We'll run that tool.

It's all right that you couldn't find that file to delete. It was probably gone already, so no worries there.

Let's tackle some more now. :huh:

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Let me know how the computer is running now.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 kdrman

kdrman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 18 May 2006 - 11:28 AM

Hi Tea,

Yea it was Look2Me. I downloaded the program and ran it. I dont think it found anything but here is the log.

Also, my wife used the cpu all last night after I ran these programs and she reported no pop ups and nothing from her antivirus. So hopefully you've gotten rid of this. Here are the Look2Me and HJT logs.

Thanks
Jason


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/18/2006 12:08:03 PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded





Logfile of HijackThis v1.99.1
Scan saved at 12:22:26 PM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1125099924\EE\AOLSOFTWARE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Carrie C\Desktop\HijackThis\HijackThis.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:39 PM

Posted 18 May 2006 - 12:32 PM

Hi Jason,

We still have a little way to go yet.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\cfg32p.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 kdrman

kdrman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 18 May 2006 - 01:05 PM

I ran the avenger program but after the restart it prompted me to create an avenger text file. However there was nothing in the file. There was also nothing else in the avenger\backup file. I dont know if these means it found nothing or if it means i ran it wrong. Should I try running it again?

Sorry and thanks.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:39 PM

Posted 18 May 2006 - 05:32 PM

Nothing to be sorry about! I'm after that file, so how about a new HijackThis log and we'll see. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 kdrman

kdrman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 18 May 2006 - 06:22 PM

Certainly...here ya go:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:13 PM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1125099924\EE\AOLSOFTWARE.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Documents and Settings\Carrie C\Desktop\HijackThis\HijackThis.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:39 PM

Posted 18 May 2006 - 07:15 PM

Thank you :thumbsup:

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot", and then select "All files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\cfg32p.dll

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Next, please reboot your computer in Safe Mode by doing the following :[list]
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
[*]Instead of Windows loading as normal, a menu with options should appear;
[*]Select the first option, to run Windows in Safe Mode, then press "Enter".

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)


Close all browser and other windows except for HijackThis!, and click "Fix Checked".

Delete the following file, if present:

C:\WINDOWS\cfg32p.dll

Use Cleanmgr to clean temporary files:

1. Click > start > run and type cleanmgr and click OK
2. Scan your system for files to remove.
3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
4. Click OK to remove those files.
5. Click Yes to confirm deletion.

Let's have another scan, still in safe mode, with Ewido please.

Reboot your computer into normal mode when it's done and post the Ewido log and a new HijackThis log. Computer running okay?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 kdrman

kdrman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 18 May 2006 - 09:30 PM

Hi Tea,

I did as you asked without problems except there was no .dll file to delete. I have left the cpu running and there have been 0 pop-ups since the first clearning yesterday. Here are the logs.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 10:25:31 PM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1125099924\EE\AOLSOFTWARE.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\Documents and Settings\Carrie C\Desktop\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)





---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:14:57 PM, 5/18/2006
+ Report-Checksum: AD95C30B

+ Scan result:

:mozilla.22:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Carrie C\Application Data\Mozilla\Firefox\Profiles\gxhj8j2e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup


::Report End

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:39 PM

Posted 19 May 2006 - 12:58 PM

Hi there,

Yay! It's great that you couldn't find that stubborn old file! :thumbsup: Killbox got it before you could go look for it. Ewido shows only cookies now, and your log looks clean. :flowers:

You should definitely maintain a firewall. Some good free firewalls are ZoneAlarm, or Outpost
A tutorial on understanding and using firewalls may be found here.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 kdrman

kdrman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 19 May 2006 - 01:01 PM

THANK YOU! You guys and gals rock!

#14 kdrman

kdrman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 19 May 2006 - 01:02 PM

THANK YOU! You guys and gals rock!

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:39 PM

Posted 19 May 2006 - 01:07 PM

You're most welcome! :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users