Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected!


  • Please log in to reply
13 replies to this topic

#1 ndkaki

ndkaki

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 02 August 2006 - 08:36 PM

Firstly, great site and various helpful forums. I've tried many of the step by step removal of spyware walkthrough, but no success for complete removal.

I note that Spybot continuosly denies a file trying to run on start up which is a major pain, as it slows my PC down reloading the denial boxes. I beleive the file attempting to register is called sspqo.dll.

I have run every freeware spyware or anit-viris program I can find.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:00 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MixMeister Pro 4\MMPRO.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Media-Codec\isamonitor.exe
C:\Program Files\Media-Codec\pmsngr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\Media-Codec\isaddon.dll
O3 - Toolbar: Protection Bar - {d1ac752e-883f-4ed8-8828-b618c3a72152} - C:\Program Files\Media-Codec\iesplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINDOWS\system32\yephk.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


I look forward to your response.

BC AdBot (Login to Remove)

 


#2 njustice

njustice

  • Security Colleague
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 02 August 2006 - 08:41 PM

Hello ndkaki,

njustice here and I'll be helping you resolve your computer issue.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________

Please download the trial version of Ewido anti-malware 3.5 from here:
http://www.ewido.net/en/download/
  • Install Ewido anti-malware.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
Have I helped you? Please consider donating to help me continue my fight against malware Posted Image

#3 ndkaki

ndkaki
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 02 August 2006 - 10:15 PM

Hi njustice,

thank you for the prompt response.

I have installed Ewido as advised, but was not given the option to 'uncheck' the items listed.

My scan from SmitfraudFix follows:

SmitFraudFix v2.79

Scan done at 13:11:38.70, Fri 08/04/2006
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\user\Application Data


Start Menu


C:\DOCUME~1\user\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End

#4 njustice

njustice

  • Security Colleague
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 03 August 2006 - 06:32 AM

Hello ndkaki,

Download roguescanfix_setup.

Doubleclick roguescanfix_setup to install it.

After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.

When you start roguescanfix.bat you'll see a menu:
1. Run Roguescanfix
2. Run sharedtasksrem

Choose option 1 by typing "1".

Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here.
Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder. Then doubleclick Roguescanfix.bat again.


The tool will uninstall some programs and delete related files and registrykeys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.

A textfile will open. Place the contents of that file in your next reply, along with a new Hijackthis logfile.
(The textfile can also be found at c:\program files\roguescanfix\task.txt)


Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido


Please post:
  • c:\program files\roguescanfix\task.txt
  • Ewido log
  • A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
Have I helped you? Please consider donating to help me continue my fight against malware Posted Image

#5 ndkaki

ndkaki
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 04 August 2006 - 04:17 AM

roguescanfix

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


---------------------------------------------------------
ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 7:11:44 PM 8/5/2006

+ Scan result:



:mozilla.263:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.91:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.92:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.16:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.18:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.19:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.31:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.36:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.182:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.183:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.184:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.185:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.186:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.187:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.239:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.240:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.241:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.68:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.246:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Bfast : No action taken.
:mozilla.190:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.93:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.94:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.95:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.148:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.149:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.67:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.17:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Cqcounter : No action taken.
:mozilla.63:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.57:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.59:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.143:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.144:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.145:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.159:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.160:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.168:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.169:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.172:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.188:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.104:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.132:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Masterstats : No action taken.
:mozilla.71:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.116:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.117:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.221:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.222:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.223:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.224:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.177:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.178:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.179:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.180:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.181:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.85:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.86:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.87:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.26:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.27:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.28:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.29:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.30:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.83:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.84:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.75:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.76:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.77:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.79:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.80:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.118:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 7:15:41 PM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Done

#6 njustice

njustice

  • Security Colleague
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 04 August 2006 - 06:40 AM

Hello ndkaki,

Your hijackthis log looks clean. However the ewido log you posted shows that you took no action on cleaning up what was found.


I recommend you run ewido again:

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Post the new ewido log and let me know how your computer is performing and if your still having problems.
Have I helped you? Please consider donating to help me continue my fight against malware Posted Image

#7 ndkaki

ndkaki
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 04 August 2006 - 07:29 PM

Hi njustice

When I run Ewido, the notification pop-up you describe does not come up.

It only seems to pick-up cookies, which I don't think(??) is the problem.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:22:59 AM 8/6/2006

+ Scan result:



:mozilla.130:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.131:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.286:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.31:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.32:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.33:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.34:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.48:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.49:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.85:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.86:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.87:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.88:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.89:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.90:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.91:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.262:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.263:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.264:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.117:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.269:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.216:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.132:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.133:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.134:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.183:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.184:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.116:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.29:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.14:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.110:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.112:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.178:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.179:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.180:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.194:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.195:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.205:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.50:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.51:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.52:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.140:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.92:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.120:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.152:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.153:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.244:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.245:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.246:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.247:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.210:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.211:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.212:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.213:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.214:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.124:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.125:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.126:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.67:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.68:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.69:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.70:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.71:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.72:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.73:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.74:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.75:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.17:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.18:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.19:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.21:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.22:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.43:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.44:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.154:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

#8 ndkaki

ndkaki
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 04 August 2006 - 07:47 PM

njustice,

Further to my message above, the problem I seem to face is the attempt for some kind of automatic loading, start-up programs trying to load when I first startup.

Here are some screen dumps of the problems: (not sure if the images will work)

#9 njustice

njustice

  • Security Colleague
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 05 August 2006 - 04:59 AM

Hello ndkaki,

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new hijackthis log.

Have I helped you? Please consider donating to help me continue my fight against malware Posted Image

#10 ndkaki

ndkaki
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 05 August 2006 - 11:55 PM

njustice,

Dr Web is picking up the ssqpo.dll file, but on re-boot the file is still trying to load.


ssqpo.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
RegUBP2b-user.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\Documents and Settings\user\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\user\Desktop\SmitfraudFix\SmitfraudFix;Trojan.Shutdown;Deleted.;
Process.exe;C:\Documents and Settings\user\Desktop\smitRem;Tool.Prockill;;
Process.exe;C:\Program Files\Roguescanfix;Tool.Prockill;;
A0098011.dll;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP159;Trojan.Popuper;Deleted.;
A0098108.reg;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP159;Trojan.StartPage.1505;Deleted.;
A0098167.reg;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP159;Trojan.StartPage.1505;Deleted.;
A0098201.exe;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP159;Tool.Prockill;;
A0098628.exe;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP160;Trojan.Starter.65;Deleted.;
A0098773.exe;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP163;Trojan.Starter.65;Deleted.;
A0098774.dll;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP163;Trojan.Virtumod;Deleted.;
A0098778.dll;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP163;Trojan.Virtumod;Deleted.;
A0098840.dll;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP164;Adware.ClickSpring;;
A0098876.exe;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP164;Adware.ClickSpring;;
A0098877.dll;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP164;Adware.Minibug;;
A0099038.reg;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP165;Trojan.StartPage.1505;Deleted.;
A0099039.exe;C:\System Volume Information\_restore{BFEA8E54-DD13-4758-B1B8-08016A73C1A8}\RP165;Trojan.Shutdown;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;


Logfile of HijackThis v1.99.1
Scan saved at 2:53:17 PM, on 8/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#11 njustice

njustice

  • Security Colleague
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 06 August 2006 - 05:39 AM

Hello ndkaki,

In my initial analysis I see that I was wrong in what infection you had and apologize for this error.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Let me know how your computer is performing.
Have I helped you? Please consider donating to help me continue my fight against malware Posted Image

#12 ndkaki

ndkaki
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 07 August 2006 - 04:00 AM

njustice

no need to apologise.

I have run Vundo previously and no viruses were found. The same outcome occurred this time.

VundoFix V5.1.6

Checking Java version...

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 11:04:44 AM 8/4/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.6

Checking Java version...

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 10:38:19 AM 8/6/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 6:56:04 PM 8/8/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...



Logfile of HijackThis v1.99.1
Scan saved at 7:00:00 PM, on 8/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#13 njustice

njustice

  • Security Colleague
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 07 August 2006 - 05:06 AM

Hello ndkaki,

Is C:\WINDOWS\system32\ssqpo.dll still trying to load? If so,

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\system32\ssqpo.dll into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

Next.....

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Have I helped you? Please consider donating to help me continue my fight against malware Posted Image

#14 ndkaki

ndkaki
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 10 August 2006 - 05:06 AM

Njustice

ssqpo.dll is still attempting to run. I have removed Spybot resident and spypatrol all allow it to do whatever it, or affiliate malware, to do what it does. Which I beleive is to install Spyquake, et al.

I have tried to delete with Killbox previously, but on reboot the file still remains. A pesky little bugger!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 11, 2006 8:01:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/08/2006
Kaspersky Anti-Virus database records: 213731
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 81782
Number of viruses found: 4
Number of infected objects: 23 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:13:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02880000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02880001.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04F00000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06500000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08200000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08200001.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280001.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280001.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280001.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280001.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280001.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280002.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280003.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280003.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280003.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280003.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280003.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280004.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0001.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\.housecall\Quarantine\dvdplay.dll.bac_a03572 Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\cert8.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\history.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\key3.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\parent.lock Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\Cache\5F79C9EFd01 Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\Cache\FE9B5EF3d01 Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\p8iwy72j.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\fla1F.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\fla21.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010001.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users