Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Winlogon Hook Trojan -


  • This topic is locked This topic is locked
13 replies to this topic

#1 blueskyre

blueskyre

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 18 July 2006 - 03:44 PM

Hi Everyone,

A winlogon hook trojan has been planted onto my box, as indicated by spysweeper. Spysweeper, McAfee, Unhackme couldnt root out the bug. It keeps coming back, even if the cleaning process is done in Safe Mode. Hope you guys can help. Thanks.

Specs:
OS :WinXP SP2
CPU :P4 2.66GZ
MB :Asus P4S8X - X
Ram :786 MB





Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:34:59 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151631988406
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: winbug32 - C:\WINDOWS\SYSTEM32\winbug32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 19 July 2006 - 01:44 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 blueskyre

blueskyre
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 20 July 2006 - 03:20 PM

Thank you for your assistance.

I did what was asked. HJT shows that the filed is now removed (file missing), but SpySweeper still flags that my system is infected with winlogon hook trojan. Here's the new scan log.

Logfile of HijackThis v1.99.1
Scan saved at 1:14:30 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis!\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Web Cam 320
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151631988406
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 20 July 2006 - 06:02 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)


Reboot and post a new hijackthis log.
Also please post the log from Ewido as requested.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 blueskyre

blueskyre
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 20 July 2006 - 11:45 PM

Hi,

Here are the ewido and HJT logfiles:

Ewido:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:52:43 PM 7/20/2006

+ Scan result:



E:\DOWNLOADS-\0 Hacking Tool\VisualRoute_2006_Build_2335\VisualRoute_2006_Build_2335.rar/VisualRoute.exe -> Backdoor.Bifrose.lf : Cleaned with backup (quarantined).
E:\DOWNLOADS-\00 OS\WinXP.portable\PROGRAMS\WinImage\RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
E:\DOWNLOADS-\00 OS\WinXP.portable\PROGRAMS\WinImage\keyms.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
E:\DOWNLOADS-\00 OS\WinXP.portable\PROGRAMS\WinImage\xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
:mozilla.114:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.180:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.181:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.188:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.189:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.190:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.191:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.192:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.193:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.194:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.195:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.196:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.197:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.262:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.379:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.456:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.661:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.163:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.595:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.629:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.644:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.645:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.340:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.341:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.507:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
:mozilla.261:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
:mozilla.572:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.273:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.274:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.324:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.325:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.326:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.327:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.328:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.276:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.277:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.278:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.279:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.517:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.518:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.519:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.520:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.202:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.431:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.614:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.623:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.640:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.255:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.256:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.257:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.290:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.531:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.532:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.533:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.615:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.474:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.479:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.480:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.481:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.490:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
:mozilla.511:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Inet-cash : Cleaned with backup (quarantined).
:mozilla.174:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.454:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.455:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.150:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.151:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.388:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.239:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.240:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.241:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.242:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.313:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.314:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.466:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.467:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.468:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.469:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.460:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.461:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.491:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.301:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.302:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.304:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.638:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.483:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Vegasred : Cleaned with backup (quarantined).
:mozilla.484:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Vegasred : Cleaned with backup (quarantined).
:mozilla.485:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Vegasred : Cleaned with backup (quarantined).
:mozilla.486:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Vegasred : Cleaned with backup (quarantined).
:mozilla.487:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Vegasred : Cleaned with backup (quarantined).
:mozilla.488:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Vegasred : Cleaned with backup (quarantined).
:mozilla.130:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.171:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\regiz\Application Data\Mozilla\Firefox\Profiles\zbro0n9g.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end
-----------------------------


HJT:
Logfile of HijackThis v1.99.1
Scan saved at 9:39:33 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis!\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Web Cam 320
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151631988406
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 21 July 2006 - 03:36 PM

Your log looks clean to me. What's Spysweeper say now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 blueskyre

blueskyre
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 21 July 2006 - 09:58 PM

HJT suggests my computer is clean. But SpySweeper keeps flagging me that it's infecting by trojan horse winlogon hook. Could it be that SS is corrupt?

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 22 July 2006 - 08:25 AM

Please post the log from SpySweeper so I can see just what it's finding.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 blueskyre

blueskyre
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 22 July 2006 - 10:05 AM

6:45 PM: | Start of Session, Friday, July 21, 2006 |
6:45 PM: Spy Sweeper started
6:45 PM: Sweep initiated using definitions version 719
6:45 PM: Starting Memory Sweep
6:50 PM: Memory Sweep Complete, Elapsed Time: 00:04:50
6:50 PM: Starting Registry Sweep
6:50 PM: Found Trojan Horse: trojan agent winlogonhook
6:50 PM: HKLM\software\microsoft\mssmgr\ (9 subtraces) (ID = 937101)
6:50 PM: Registry Sweep Complete, Elapsed Time:00:00:35
6:50 PM: Starting Cookie Sweep
6:50 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:50 PM: Starting File Sweep
7:21 PM: File Sweep Complete, Elapsed Time: 00:31:09
7:21 PM: Full Sweep has completed. Elapsed time 00:36:36
7:21 PM: Traces Found: 10
7:57 PM: Removal process initiated
7:57 PM: Quarantining All Traces: trojan agent winlogonhook
7:57 PM: Removal process completed. Elapsed time 00:00:01

12:09 AM: Processing Startup Alerts
12:09 AM: Allowed Startup entry: F-Secure Manager
12:09 AM: Processing Startup Alerts
12:09 AM: Allowed Startup entry: F-Secure TNB
12:14 AM: Processing Startup Alerts
12:14 AM: Allowed Startup entry: F-Secure Automatic Update.lnk

2:00 AM: A scheduled sweep will now start.
2:00 AM: | End of Session, Saturday, July 22, 2006 |
********
2:00 AM: | Start of Session, Friday, July 21, 2006 |
2:00 AM: Spy Sweeper started
2:00 AM: Sweep initiated using definitions version 719
2:00 AM: Starting Memory Sweep
2:05 AM: Memory Sweep Complete, Elapsed Time: 00:05:52
2:05 AM: Starting Registry Sweep
2:06 AM: Found Trojan Horse: trojan agent winlogonhook
2:06 AM: HKLM\software\microsoft\mssmgr\ (9 subtraces) (ID = 937101)
2:06 AM: Registry Sweep Complete, Elapsed Time:00:00:31
2:06 AM: Starting Cookie Sweep
2:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:06 AM: Starting File Sweep
2:39 AM: File Sweep Complete, Elapsed Time: 00:32:53
2:39 AM: Full Sweep has completed. Elapsed time 00:39:19
2:39 AM: Traces Found: 10
7:57 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
8:02 AM: Processing Startup Alerts
8:02 AM: Allowed Startup entry: wextract_cleanup0
8:02 AM: Allowed Startup entry: MPlayer2_FixUp
8:07 AM: Processing Startup Alerts
8:07 AM: Allowed Startup entry: WMC_RebootCheck
11:21 AM: Warning: Cannot open file "C:\Documents and Settings\Guest\NTUser.dat". The process cannot access the file because it is being used by another process
6:45 PM: | End of Session, Friday, July 21, 2006 |
********
11:57 PM: | Start of Session, Wednesday, July 19, 2006 |
11:57 PM: Spy Sweeper started
11:57 PM: Sweep initiated using definitions version 719
11:57 PM: Starting Memory Sweep
12:03 AM: Memory Sweep Complete, Elapsed Time: 00:06:12
12:03 AM: Starting Registry Sweep
12:04 AM: Found Trojan Horse: trojan agent winlogonhook
12:04 AM: HKLM\software\microsoft\mssmgr\ (9 subtraces) (ID = 937101)
12:04 AM: Registry Sweep Complete, Elapsed Time:00:00:41
12:04 AM: Starting Cookie Sweep
12:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:04 AM: Starting File Sweep
12:15 AM: Sweep Canceled
12:15 AM: File Sweep Complete, Elapsed Time: 00:11:07
12:15 AM: Traces Found: 10
7:48 AM: Ignoring scheduled sweep: wrSpySweeper20060715184404
8:32 AM: Processing Startup Alerts
8:32 AM: Allowed Startup entry: avast!
8:48 AM: Processing Startup Alerts
8:48 AM: Allowed Startup entry: BigDogPath
2:22 PM: IE Tracking Cookies Shield: Removed adjuggler cookie
2:22 PM: IE Tracking Cookies Shield: Removed yieldmanager cookie
4:17 PM: Warning: Access is denied
12:15 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:17 AM: Processing Startup Alerts
12:17 AM: Allowed Startup entry: !1_ProcessGuard_Startup
12:17 AM: Allowed Startup entry: !1_pgaccount
2:00 AM: A scheduled sweep will now start.
2:00 AM: | End of Session, Friday, July 21, 2006 |
********
10:52 PM: | Start of Session, Wednesday, July 19, 2006 |
10:52 PM: Spy Sweeper started
10:52 PM: Sweep initiated using definitions version 719
10:52 PM: Starting Memory Sweep
10:53 PM: Sweep Canceled
10:53 PM: Memory Sweep Complete, Elapsed Time: 00:00:41
10:53 PM: Traces Found: 0
11:57 PM: | End of Session, Wednesday, July 19, 2006 |
********
2:00 AM: | Start of Session, Wednesday, July 19, 2006 |
2:00 AM: Spy Sweeper started
2:00 AM: Sweep initiated using definitions version 719
2:00 AM: Starting Memory Sweep
2:00 AM: Sweep Canceled
2:00 AM: Memory Sweep Complete, Elapsed Time: 00:00:15
2:00 AM: Traces Found: 0
3:12 AM: The Spy Communication shield has blocked access to: here4search.biz
3:12 AM: The Spy Communication shield has blocked access to: here4search.biz
3:12 AM: The Spy Communication shield has blocked access to: smart-security.biz
3:12 AM: The Spy Communication shield has blocked access to: smart-security.biz
8:04 AM: The Spy Communication shield has blocked access to: here4search.biz
8:04 AM: The Spy Communication shield has blocked access to: here4search.biz
8:04 AM: The Spy Communication shield has blocked access to: smart-security.biz
8:04 AM: The Spy Communication shield has blocked access to: smart-security.biz
1:14 PM: The Spy Communication shield has blocked access to: here4search.biz
1:14 PM: The Spy Communication shield has blocked access to: here4search.biz
1:14 PM: The Spy Communication shield has blocked access to: smart-security.biz
1:14 PM: The Spy Communication shield has blocked access to: smart-security.biz
1:18 PM: Processing Startup Alerts
1:18 PM: Allowed Startup entry: !ewido
2:00 PM: Processing Startup Alerts
2:00 PM: Allowed Startup entry: NetFxUpdate_v1.1.4322
2:27 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
2:27 PM: IE Tracking Cookies Shield: Removed webtrends cookie
2:57 PM: Processing Startup Alerts
2:57 PM: Allowed Startup entry: avast!
********
12:24 AM: | Start of Session, Wednesday, July 19, 2006 |
12:24 AM: Spy Sweeper started
12:24 AM: Sweep initiated using definitions version 719
12:24 AM: Starting Memory Sweep
12:28 AM: Memory Sweep Complete, Elapsed Time: 00:03:49
12:28 AM: Starting Registry Sweep
12:28 AM: Found Trojan Horse: trojan agent winlogonhook
12:28 AM: HKLM\software\microsoft\mssmgr\ (9 subtraces) (ID = 937101)
12:29 AM: Registry Sweep Complete, Elapsed Time:00:00:28
12:29 AM: Starting Cookie Sweep
12:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:29 AM: Starting File Sweep
12:40 AM: Sweep Canceled
12:40 AM: File Sweep Complete, Elapsed Time: 00:11:12
12:40 AM: Traces Found: 10
1:00 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
2:00 AM: A scheduled sweep will now start.

Edited by blueskyre, 22 July 2006 - 10:08 AM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 22 July 2006 - 09:25 PM

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
mssmgr

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 blueskyre

blueskyre
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 23 July 2006 - 03:33 AM

I think it's a false alarm on SpySweeper's part. I just did another scan with SpySweeper and the result is negative: no trojan found. But here's the logfile from RegSearch:


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.1.0

; Results at 7/23/2006 1:25:50 AM for strings:
; 'mssmgr'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 23 July 2006 - 02:12 PM

That's good to see! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:flowers: :huh:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 blueskyre

blueskyre
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 24 July 2006 - 01:34 AM

Thank you, Buckeye_Sam. You're a great help.

I do almost always follow the safety guideline provided. I do have router, software firewall, antivirus and antispyware. Also, I rarely ever used Internet Explorer. Firefox is my preference of use 99% of the time. But it was a bad judgment call on my part for excepting three unknown Active X control requests, while running IE. It costed me (and, I am sorry, you) quite some time and effort to eradicate the bugger.

On the other hand, I am determine to dwell deeper into understanding malwares and how to fight them.

Again, thank you.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 24 July 2006 - 03:58 PM

Glad to help! :thumbsup:

As your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users