Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

1st Hijack This Log


  • This topic is locked This topic is locked
13 replies to this topic

#1 oicurhis2

oicurhis2

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 24 December 2005 - 12:42 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:35:01 AM, on 12/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\omysmne.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\windows\system32\rlvknlg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\CM Instant Messenger\cim.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Anthony\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.air1.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Access4Less
R3 - URLSearchHook: (no name) - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll (file missing)
O3 - Toolbar: Groowe - {1F326B8F-CE7F-4C98-96A1-AC7A2B61D742} - C:\WINDOWS\SYSTEM32\GrooweToolbar.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [bnwyznafkzgi] C:\WINDOWS\System32\omysmne.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - HKCU\..\Run: [wmiscmgr] C:\WINDOWS\System32\wmiscmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Reboot.exe
O4 - Global Startup: CM Instant Messenger.lnk = C:\Program Files\CM Instant Messenger\cim.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: &searchpixie Toolbar search - res://C:\PROGRAM FILES\IETOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {1AE2F26C-8E23-4930-A68D-9E681A764001} - (no file)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} (EGEGAUTH Class) - http://akamai.downlo..._1036_EN_XP.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downl..._1047_EN_XP.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downl...svc32_EN_XP.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streaming...MINIBrowser.CAB
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab36107.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

This is my first log, can you help me.

Thanks

Anthony

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 29 December 2005 - 10:44 AM

Hello Anthony and welcome to TomCoyote forum. You do have a bunch of bad stuff on your computer. If you still need help and are not being helped elsewhere, please do this:

1) C:\Documents and Settings\Anthony\Local Settings\Temp\HijackThis.exe Move HJT from the TEMP folder, I prefer : C:\HJT\HijackThis.exe. If you need more instructions use these: http://russelltexas....tehjtfolder.htm

2) Since almost a week has gone by, after you move HJT to a safe permanent folder, post a new HJT log and I will respond as soon as possible after you do.

Thanks...pskelley
TomCoyote forum
Expert Member
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 oicurhis2

oicurhis2

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 30 December 2005 - 11:14 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:12:32 AM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\omysmne.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\windows\system32\rlvknlg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Anthony\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.air1.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Access4Less
R3 - URLSearchHook: (no name) - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll (file missing)
O3 - Toolbar: Groowe - {1F326B8F-CE7F-4C98-96A1-AC7A2B61D742} - C:\WINDOWS\SYSTEM32\GrooweToolbar.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [bnwyznafkzgi] C:\WINDOWS\System32\omysmne.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - HKCU\..\Run: [wmiscmgr] C:\WINDOWS\System32\wmiscmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Reboot.exe
O4 - Global Startup: CM Instant Messenger.lnk = C:\Program Files\CM Instant Messenger\cim.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: &searchpixie Toolbar search - res://C:\PROGRAM FILES\IETOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {1AE2F26C-8E23-4930-A68D-9E681A764001} - (no file)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} (EGEGAUTH Class) - http://akamai.downlo..._1036_EN_XP.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downl..._1047_EN_XP.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downl...svc32_EN_XP.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streaming...MINIBrowser.CAB
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab36107.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

The computer would not let me move it from the temporary internet files folder. I also discovered that it was contained within the Program Files folder. Please just tell me what to delete. Anthony won't know what to do and I (his finance) am only here until today and tomorrow. Please answer this sooner rather than later.

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 30 December 2005 - 01:28 PM

I will tell you one more time that your backups for safety will not be available in the TEMP situation you have them in now and this can be very dangerous. If we need those backups we will not have them. I can not be responsible for this.
I suggest you delete all instances of HJT you have on the computer. Open your C:\ and RIGHT click on a blank spot with your mouse. Make a NEW FOLDER and call it HJT. Go to this site http://www.malwarere.../downloads.html and the number one & two (1 & 2) items are downloads of HJT. Choose the download for .exe. When asked choose to Save this file now. In the top Save in box navigate to folder HJT and choose to Save it in that folder. Run HJT from that folder from now on.
I will also say this information: http://russelltexas....tehjtfolder.htm and the visuals it provides explains how to do this.

Follow these instructions in the posted order.

1) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp and please do not run it until I ask you to.

2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

3) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [bnwyznafkzgi] C:\WINDOWS\System32\omysmne.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O4 - HKCU\..\Run: [wmiscmgr] C:\WINDOWS\System32\wmiscmgr.exe
O4 - Startup: Reboot.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O9 - Extra button: (no name) - {1AE2F26C-8E23-4930-A68D-9E681A764001} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} (EGEGAUTH Class) - http://akamai.downlo..._1036_EN_XP.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downl..._1047_EN_XP.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downl...svc32_EN_XP.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab36107.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\satmat.exe >>> file

C:\windows\system32\rlvknlg.exe >>> file

C:\WINDOWS\System32\omysmne.exe >>> file

C:\WINDOWS\System32\wmiscmgr.exe >>> file

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

6) Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log and the Ewido scan results in this same thread along with any feedback you have.

Thanks...pskelley
TomCoyote forum
Expert Member

When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions:
http://service1.syma...src=sec_doc_nam

Edited by pskelley, 30 December 2005 - 01:30 PM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 oicurhis2

oicurhis2

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 30 December 2005 - 06:55 PM

member posted duplicate HJT logs. I edited one of them out to avoid confuxion.
Thanks...pskelley


Logfile of HijackThis v1.99.1
Scan saved at 4:50:05 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\CM Instant Messenger\cim.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Access4Less
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Groowe - {1F326B8F-CE7F-4C98-96A1-AC7A2B61D742} - C:\WINDOWS\SYSTEM32\GrooweToolbar.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: CM Instant Messenger.lnk = C:\Program Files\CM Instant Messenger\cim.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &searchpixie Toolbar search - res://C:\PROGRAM FILES\IETOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downl..._1047_EN_XP.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streaming...MINIBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Not sure how to post report of Ewido Security system. Can you help? Thanks

Edited by pskelley, 30 December 2005 - 07:12 PM.


#6 oicurhis2

oicurhis2

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 30 December 2005 - 06:58 PM

--------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 4:20:27 PM, 12/30/2005 + Report-Checksum: A4E6C024 + Scan result: HKLM\SOFTWARE\Classes\TypeLib\{BA232BA2-12D3-47CD-AA05-5E8F85DBC650} -> Dialer.Generic : Ignored HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Ignored HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{505098FD-5D61-4BC2-9B82-F969D0E932A2} -> Dialer.Generic : Ignored HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} -> Spyware.ISTBar : Ignored HKLM\SOFTWARE\Microsoft\Protected Storage System Provider\anthony\Data\e161255a-37c3-11d2-bcaa-00c04fd929db\e161255a-37c3-11d2-bcaa-00c04fd929db\strasse:StringIndex -> Dialer.Generic : Ignored HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09F0F280-FB9A-481B-B69A-CB00DC44D027} -> Spyware.AdvancedSearchbar : Ignored HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77712A64-F30B-47C8-A363-CDA1CEC7DC1B} -> Spyware.AdvancedSearchbar : Ignored HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D714A94F-123A-45CC-8F03-040BCAF82AD6} -> Spyware.SideStep : Ignored HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Ignored HKU\S-1-5-21-220523388-920026266-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00320615-B6C2-40A6-8F99-F1C52D674FAD} -> Spyware.Transponder : Ignored HKU\S-1-5-21-220523388-920026266-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{09F0F280-FB9A-481B-B69A-CB00DC44D027} -> Spyware.AdvancedSearchbar : Ignored HKU\S-1-5-21-220523388-920026266-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{77712A64-F30B-47C8-A363-CDA1CEC7DC1B} -> Spyware.AdvancedSearchbar : Ignored HKU\S-1-5-21-220523388-920026266-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D714A94F-123A-45CC-8F03-040BCAF82AD6} -> Spyware.SideStep : Ignored [432] VM_10001000 -> Adware.NaviPromo : Ignored [456] VM_10001000 -> Adware.NaviPromo : Ignored [500] VM_10001000 -> Adware.NaviPromo : Ignored [512] VM_10001000 -> Adware.NaviPromo : Ignored [652] VM_10001000 -> Adware.NaviPromo : Ignored [724] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Ignored [788] VM_10001000 -> Adware.NaviPromo : Ignored [840] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Ignored [916] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Ignored [1112] VM_00EF1000 -> Adware.NaviPromo : Ignored [1664] VM_00A81000 -> Adware.NaviPromo : Ignored [1840] VM_02331000 -> Adware.NaviPromo : Ignored [180] VM_010C1000 -> Adware.NaviPromo : Ignored [224] VM_00B21000 -> Adware.NaviPromo : Ignored [304] VM_00D21000 -> Adware.NaviPromo : Ignored [312] VM_00AF1000 -> Adware.NaviPromo : Ignored [352] VM_10001000 -> Adware.NaviPromo : Ignored [376] VM_01D71000 -> Adware.NaviPromo : Ignored [384] VM_014B1000 -> Adware.NaviPromo : Ignored [388] VM_00D51000 -> Adware.NaviPromo : Ignored [424] VM_019C1000 -> Adware.NaviPromo : Ignored [636] VM_01131000 -> Adware.NaviPromo : Ignored [2372] VM_10001000 -> Adware.NaviPromo : Ignored [1540] VM_02401000 -> Adware.NaviPromo : Ignored C:\WINDOWS\SYSTEM32\rk.bin -> Spyware.RK : Ignored C:\WINDOWS\SYSTEM32\sysinetsvc32.dll -> Dialer.Generic : Ignored C:\WINDOWS\SYSTEM32\eg_auth_srv_1047.dll -> Dialer.Generic : Ignored C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Ignored C:\WINDOWS\eg_auth_1047.dll -> Dialer.Generic : Ignored C:\WINDOWS\p2esocks_1047.dll -> Dialer.Generic : Ignored C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Ignored C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP209\A0069283.dll -> Dialer.Generic : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP209\A0069295.dll -> Dialer.Generic : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP212\A0069334.dll -> Dialer.Generic : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP212\A0069346.dll -> Dialer.Generic : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP212\A0069355.dll -> Dialer.Generic : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP213\A0069381.dll -> Dialer.Generic : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP213\A0069386.dll -> Dialer.Generic : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP213\A0069393.dll -> Dialer.Generic : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP215\A0069403.exe -> Spyware.RK : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP215\A0069414.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP216\A0069432.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP217\A0069452.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP219\A0069480.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP219\A0069494.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP219\A0069507.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP225\A0073378.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP225\A0073415.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP226\A0073549.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP227\A0073761.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP228\A0073842.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP229\A0073857.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP229\A0074663.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP230\A0075668.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP231\A0075729.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP231\A0075811.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP232\A0075879.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP233\A0075894.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP233\A0075902.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP233\A0075909.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075921.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075932.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075943.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075970.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075978.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP235\A0075987.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP235\A0075995.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP235\A0076008.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP236\A0076017.dll -> Trojan.P2E.bc : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP238\A0076034.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP238\A0076046.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP238\A0076054.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP238\A0076069.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP239\A0076079.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP239\A0076086.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP240\A0076097.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP240\A0076107.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP240\A0076115.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP240\A0077117.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP242\A0077161.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP242\A0077164.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP242\A0077173.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP242\A0077181.dll -> Spyware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP243\A0077201.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP243\A0077209.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP243\A0077232.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP245\A0077239.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP245\A0077247.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP245\A0077255.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP245\A0077283.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP246\A0077296.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP246\A0077304.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP247\A0077311.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP249\A0077338.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP250\A0077357.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP251\A0077367.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP252\A0077376.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP252\A0077385.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP252\A0078385.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP253\A0078425.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079047.dll -> Adware.NaviPromo : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079060.exe -> Downloader.Agent.ae : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079061.exe -> Logger.Briss.h : Ignored C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079069.dll -> Adware.NaviPromo : Ignored C:\Documents and Settings\Anthony\Local Settings\Temp\Cookies\anthony@goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Ignored C:\Documents and Settings\Anthony\Start Menu\Programs\WhenU -> Spyware.SaveNow : Ignored C:\Documents and Settings\Anthony\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Ignored C:\Documents and Settings\Anthony\Start Menu\Programs\WhenU\Learn More About Save!.url -> Spyware.SaveNow : Ignored C:\Documents and Settings\Anthony\Start Menu\Programs\WhenU\Learn More About SaveNow.url -> Spyware.SaveNow : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@112.2o7[1].txt -> Spyware.Cookie.2o7 : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@cz8.clickzs[2].txt -> Spyware.Cookie.Clickzs : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@oxcash[2].txt -> Spyware.Cookie.Oxcash : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@bidtool.overture[1].txt -> Spyware.Cookie.Overture : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@com[1].txt -> Spyware.Cookie.Com : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@newyorkcasino[1].txt -> Spyware.Cookie.Newyorkcasino : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@banner.newyorkcasino[2].txt -> Spyware.Cookie.Newyorkcasino : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@com[3].txt -> Spyware.Cookie.Com : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@www.grandonline[1].txt -> Spyware.Cookie.Grandonline : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@e-2dj6wjkocndjcdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@banner.grandonline[2].txt -> Spyware.Cookie.Grandonline : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@grandonline[2].txt -> Spyware.Cookie.Grandonline : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@cbs.112.2o7[1].txt -> Spyware.Cookie.2o7 : Ignored C:\Documents and Settings\Anthony\Cookies\anthony@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Ignored :mozilla.16:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored :mozilla.17:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Bfast : Ignored :mozilla.18:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.19:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored :mozilla.23:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.24:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.25:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.27:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.28:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.29:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.30:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Mediaplex : Ignored :mozilla.59:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Bluestreak : Ignored :mozilla.89:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored :mozilla.90:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored :mozilla.91:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored :mozilla.92:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored :mozilla.93:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored :mozilla.103:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignored :mozilla.104:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored :mozilla.105:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored :mozilla.107:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Centrport : Ignored :mozilla.108:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Centrport : Ignored :mozilla.111:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.112:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.113:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored :mozilla.127:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored :mozilla.128:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored :mozilla.129:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored :mozilla.130:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored :mozilla.132:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Overture : Ignored :mozilla.135:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Overture : Ignored :mozilla.136:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Overture : Ignored :mozilla.139:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored :mozilla.148:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Com : Ignored :mozilla.150:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Com : Ignored :mozilla.157:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Overture : Ignored :mozilla.158:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Overture : Ignored :mozilla.159:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Overture : Ignored :mozilla.170:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Liveperson : Ignored :mozilla.171:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Liveperson : Ignored :mozilla.192:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored :mozilla.193:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored :mozilla.194:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored :mozilla.207:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.208:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.209:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.210:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.211:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Enigmasoftwaregroup : Ignored :mozilla.212:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Enigmasoftwaregroup : Ignored :mozilla.213:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Enigmasoftwaregroup : Ignored :mozilla.233:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Com : Ignored :mozilla.289:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignored :mozilla.291:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored :mozilla.292:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored :mozilla.300:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored :mozilla.319:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored -> : Ignored :mozilla.393:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Clickzs : Ignored :mozilla.394:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Clickzs : Ignored :mozilla.406:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Oxcash : Ignored :mozilla.407:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Oxcash : Ignored :mozilla.408:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Oxcash : Ignored :mozilla.412:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Oxcash : Ignored :mozilla.413:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Oxcash : Ignored :mozilla.416:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.417:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.418:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.419:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.420:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.421:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored :mozilla.424:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Clickzs : Ignored -> : Ignored :mozilla.446:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored :mozilla.448:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored :mozilla.461:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored :mozilla.463:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Excite : Ignored :mozilla.469:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Revenue : Ignored :mozilla.470:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Revenue : Ignored :mozilla.476:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Excite : Ignored :mozilla.479:C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\lsqg09ny.default\cookies.txt -> Spyware.Cookie.Excite : Ignored HKLM\SOFTWARE\Classes\CLSID\{09F0F280-FB9A-481B-B69A-CB00DC44D027} -> Spyware.AdvancedSearchbar : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{505098FD-5D61-4BC2-9B82-F969D0E932A2} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{77712A64-F30B-47C8-A363-CDA1CEC7DC1B} -> Spyware.AdvancedSearchbar : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{D714A94F-123A-45CC-8F03-040BCAF82AD6} -> Spyware.SideStep : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{85A47EF4-35A6-4BD4-9B6F-C0222EA683C2} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{C5B46112-1F54-4043-A727-39C0299C854A} -> Dialer.Generic : Cleaned with backup ::Report End Here is the ewido Report. Figured it out myself. Thanks

#7 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 30 December 2005 - 07:09 PM

Yeah, I see. You only need to post one HJT log. You have chosen to ignore everything ewido found that was bad?? Ignored Run ewido again and this time delete what ewido finds, if it won't let you delete something, quarantine it. Once this is done and you post the new ewido scan results I will look at it.

Thanks
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#8 oicurhis2

oicurhis2

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 31 December 2005 - 12:46 PM

Here is the Ewido Log File after cleaning. Thanks for all your help so far. The computer is already running faster. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 10:42:58 AM, 12/31/2005 + Report-Checksum: 1D408D02 + Scan result: HKLM\SOFTWARE\Classes\TypeLib\{BA232BA2-12D3-47CD-AA05-5E8F85DBC650} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Microsoft\Protected Storage System Provider\anthony\Data\e161255a-37c3-11d2-bcaa-00c04fd929db\e161255a-37c3-11d2-bcaa-00c04fd929db\strasse:StringIndex -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup HKU\S-1-5-21-220523388-920026266-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00320615-B6C2-40A6-8F99-F1C52D674FAD} -> Spyware.Transponder : Cleaned with backup HKU\S-1-5-21-220523388-920026266-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{09F0F280-FB9A-481B-B69A-CB00DC44D027} -> Spyware.AdvancedSearchbar : Cleaned with backup HKU\S-1-5-21-220523388-920026266-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{77712A64-F30B-47C8-A363-CDA1CEC7DC1B} -> Spyware.AdvancedSearchbar : Cleaned with backup HKU\S-1-5-21-220523388-920026266-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D714A94F-123A-45CC-8F03-040BCAF82AD6} -> Spyware.SideStep : Cleaned with backup [424] VM_10001000 -> Adware.NaviPromo : Error during cleaning [448] VM_10001000 -> Adware.NaviPromo : Error during cleaning [500] VM_10001000 -> Adware.NaviPromo : Error during cleaning [512] VM_10001000 -> Adware.NaviPromo : Error during cleaning [660] VM_10001000 -> Adware.NaviPromo : Error during cleaning [704] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup [768] VM_10001000 -> Adware.NaviPromo : Error during cleaning [844] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning [964] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning [1088] VM_00E81000 -> Adware.NaviPromo : Error during cleaning [1548] VM_01A31000 -> Adware.NaviPromo : Error during cleaning [1580] VM_00D71000 -> Adware.NaviPromo : Error during cleaning [184] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning [1932] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning [3580] VM_01131000 -> Adware.NaviPromo : Error during cleaning [3816] VM_010B1000 -> Adware.NaviPromo : Error during cleaning [3956] VM_00B21000 -> Adware.NaviPromo : Error during cleaning [4052] VM_00AF1000 -> Adware.NaviPromo : Error during cleaning [192] VM_00AF1000 -> Adware.NaviPromo : Error during cleaning [400] VM_10001000 -> Adware.NaviPromo : Error during cleaning [812] VM_00FB1000 -> Adware.NaviPromo : Error during cleaning [2024] VM_10001000 -> Adware.NaviPromo : Error during cleaning [2324] VM_10001000 -> Adware.NaviPromo : Error during cleaning [2716] VM_10001000 -> Adware.NaviPromo : Error during cleaning [3596] VM_10001000 -> Adware.NaviPromo : Error during cleaning C:\WINDOWS\SYSTEM32\rk.bin -> Spyware.RK : Cleaned with backup C:\WINDOWS\SYSTEM32\eg_auth_srv_1047.dll -> Dialer.Generic : Cleaned with backup C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup C:\WINDOWS\eg_auth_1047.dll -> Dialer.Generic : Cleaned with backup C:\WINDOWS\p2esocks_1047.dll -> Dialer.Generic : Cleaned with backup C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP212\A0069334.dll -> Dialer.Generic : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP212\A0069346.dll -> Dialer.Generic : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP212\A0069355.dll -> Dialer.Generic : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP213\A0069381.dll -> Dialer.Generic : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP213\A0069386.dll -> Dialer.Generic : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP213\A0069393.dll -> Dialer.Generic : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP215\A0069403.exe -> Spyware.RK : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP215\A0069414.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP216\A0069432.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP217\A0069452.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP219\A0069480.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP219\A0069494.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP219\A0069507.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP225\A0073378.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP225\A0073415.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP226\A0073549.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP227\A0073761.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP228\A0073842.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP229\A0073857.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP229\A0074663.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP230\A0075668.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP231\A0075729.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP231\A0075811.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP232\A0075879.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP233\A0075894.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP233\A0075902.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP233\A0075909.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075921.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075932.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075943.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075970.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP234\A0075978.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP235\A0075987.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP235\A0075995.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP235\A0076008.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP236\A0076017.dll -> Trojan.P2E.bc : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP238\A0076034.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP238\A0076046.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP238\A0076054.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP238\A0076069.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP239\A0076079.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP239\A0076086.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP240\A0076097.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP240\A0076107.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP240\A0076115.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP240\A0077117.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP242\A0077161.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP242\A0077164.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP242\A0077173.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP242\A0077181.dll -> Spyware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP243\A0077201.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP243\A0077209.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP243\A0077232.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP245\A0077239.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP245\A0077247.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP245\A0077255.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP245\A0077283.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP246\A0077296.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP246\A0077304.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP247\A0077311.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP249\A0077338.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP250\A0077357.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP251\A0077367.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP252\A0077376.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP252\A0077385.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP252\A0078385.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP253\A0078425.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079047.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079060.exe -> Downloader.Agent.ae : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079061.exe -> Logger.Briss.h : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079069.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079077.dll -> Dialer.Generic : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079318.dll -> Adware.NaviPromo : Cleaned with backup C:\System Volume Information\_restore{67C03792-ADCD-4443-9939-AAD4D382248F}\RP254\A0079321.dll -> Adware.NaviPromo : Cleaned with backup C:\Documents and Settings\Anthony\Start Menu\Programs\WhenU -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\Anthony\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\Anthony\Start Menu\Programs\WhenU\Learn More About Save!.url -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\Anthony\Start Menu\Programs\WhenU\Learn More About SaveNow.url -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@casinopays[1].txt -> Spyware.Cookie.Casinopays : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@crbanner.casinopays[2].txt -> Spyware.Cookie.Casinopays : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@www.grandonline[1].txt -> Spyware.Cookie.Grandonline : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@e-2dj6wjkocndjcdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@banner.grandonline[2].txt -> Spyware.Cookie.Grandonline : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@grandonline[2].txt -> Spyware.Cookie.Grandonline : Cleaned with backup C:\Documents and Settings\Anthony\Cookies\anthony@goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup C:\HJT\backups\backup-20051230-162559-385.dll -> Dialer.Generic : Cleaned with backup ::Report End

#9 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 31 December 2005 - 01:52 PM

Well, the HJT log does not look to bad, only clutter left, but the ewido scan is showing some really nasty stuff that ewido was not able to clean. Look at the last ewido log for the items error during cleaning. There is not a lot of information available about them:
http://www.google.co.....are.NaviPromo
and this one: msclock32.dll

Here is what I would like you to do. Download and run this tool acording to the instructions. Please save the results and post them with your next post:
http://www.microsoft...ve/default.mspx

Now follow these instructions:

MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

That will get rid of all of these in the ewido log: C:\System Volume Information\_restore

Now use these instructions to start the computer in safe mode:
http://www.bleepingc...tutorial61.html

Once in safe mode scan with ewido and remove anything it locates. While still in safe mode,

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Empty the recycle bin and reboot the computer. Post the ewido scan report, the HJT log and any information I requested.

Thanks
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#10 oicurhis2

oicurhis2

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 31 December 2005 - 05:02 PM

When I downloaded and ran that program it found nothing was infected. Here is the latest Ewido log and HJK logs.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:47:39 PM, 12/31/2005
+ Report-Checksum: 3B47A425

+ Scan result:

C:\WINDOWS\SYSTEM32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup
C:\WINDOWS\SYSTEM32\msplock32.dll -> Adware.NaviPromo : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:02:06 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\windows\system32\ukgrswj.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CM Instant Messenger\cim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Access4Less
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Groowe - {1F326B8F-CE7F-4C98-96A1-AC7A2B61D742} - C:\WINDOWS\SYSTEM32\GrooweToolbar.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ukgrswj] c:\windows\system32\ukgrswj.exe ukgrswj
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: CM Instant Messenger.lnk = C:\Program Files\CM Instant Messenger\cim.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &searchpixie Toolbar search - res://C:\PROGRAM FILES\IETOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downl..._1047_EN_XP.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streaming...MINIBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#11 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 31 December 2005 - 05:26 PM

OK, the ewido scan looks good, we have one more nasty that is holding on. We will try HJT first and if that does not kill it we will use Killbox.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [ukgrswj] c:\windows\system32\ukgrswj.exe ukgrswj

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\windows\system32\ukgrswj.exe >>> folder

If it does not remove with this proceedure, then do this:

Download Killbox for here: http://forum.malware...topic.php?t=320 then follow the directions to delete: C:\windows\system32\ukgrswj.exe
Let's hope that takes care of it. Let me know how the computer is running now.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#12 oicurhis2

oicurhis2

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 31 December 2005 - 05:46 PM

Had to use Killbox but got rid of the file that you asked me to get rid of. Seems to be running ok, but will check with Anthony later he will know more if the computer is running smoother than I will. Thanks for all your help. Becque

#13 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 31 December 2005 - 05:55 PM

OK Becque, sounds good to me, he should have this information, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Happy New Year...Phil :wavey:

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#14 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 02 January 2006 - 10:58 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users