Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Having Winfixer Problems -- HijackThis & uninstall list


  • This topic is locked This topic is locked
16 replies to this topic

#1 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 06 January 2006 - 06:34 PM

Please help me with getting rid of this annoying WinFixer popup. Here's my HJT log followed by the uninstall list:

Logfile of HijackThis v1.99.1
Scan saved at 6:23:21 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gt.rr.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\jkkli.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [System Kernal Support] system.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [System Kernal Support] system.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124330648750
O20 - Winlogon Notify: ddccb - C:\WINDOWS\SYSTEM32\ddccb.dll
O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll
O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

UNINSTALL LIST:

3D Groove Playback Engine
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
America Online (Choose which version to remove)
Ant War
Anti Boss Key
AOL Instant Messenger
aspi
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HYDRAVISION
ATI Multimedia Center 9.01
ATI Remote Wonder 2.3
Blackhawk Striker from ATI (remove only)
Blasterball 2 from ATI (remove only)
BMSE dbl
BookWorm Deluxe 1.03
Bounce Symphony from ATI (remove only)
CA eTrust PestPatrol
CCHelp
CCScore
Chuzzle Deluxe 1.0
Chuzzle Deluxe from ATI (remove only)
Conexant SmartHSFi V.9x 56K DF PCI Modem
CoolSpeech 5.0 with Mary
DAO
Dell Support 5.0.0 (766)
Digital Line Detect
DivX
DivX Player
DVDSentry
Dynomite Deluxe 2.71
ESSAdpt
ESSANUP
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
eTrust EZ Antivirus
eTrust EZ Armor
Guild Wars
HijackThis 1.99.1
HP Deskjet 6800
HP Photo & Imaging 4.1
HP Software Update
IE Help
IEC system
Insaniquarium Deluxe 1.0
Insaniquarium Deluxe from ATI (remove only)
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
InterActual Player
Internet Explorer Default Page
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2
Kodak EasyShare software
KSU
LimeWire 4.9.37
Listen Rhapsody
Macromedia Flash Player 8
Macromedia Shockwave Player
Mars Rover from ATI (remove only)
MechWarrior 4 Mercenaries
MechWarrior Vengeance
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office Basic Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Modem Helper
MSN Music Assistant
MUSICMATCH® Jukebox
NetWaiting
Notifier
Orbital from ATI (remove only)
OTtBP
Overball from ATI (remove only)
P.I.E. Patch
Polar Bowler from ATI (remove only)
PowerDVD
QuickTime
RealOne Player
Retrospect 6.5
Rhapsody
Runescape Xplorer 2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB912919)
SFR
SFR2
Shockwave
Sonic DLA
Sonic RecordNow!
Sound Blaster Live!
Starware 3.3.2.0
STX from ATI (remove only)
SuperPower (remove only)
Support Software
Untitled Screen Saver
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
USB MassStorage CardReader
Viewpoint Media Player
Virtual Warfare from ATI (remove only)
WD Media Center Driver
WildTangent GameChannel (remove only)
WildTangent Web Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows SA
Windows SR 2.0
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
Word Symphony from ATI (remove only)
Yahoo! Companion

    Advertisements

Register to Remove


#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 06 January 2006 - 11:06 PM

Download VirtumundoBegone and save it to your desktop.

VirtumundoBegone >>>> http://secured2k.hom...mundoBeGone.exe

Reboot your computer into Safe Mode

Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished

Reboot and post a new hijackthis log please.

#3 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 07 January 2006 - 10:15 AM

When I tried the VirtumundoBegone download, I got this: "You are not authorized to view this page You might not have permission to view this directory or page using the credentials you supplied"

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 07 January 2006 - 10:21 AM

Ok, post a new hijackthis log please.

#5 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 07 January 2006 - 10:49 AM

I certainly appreciate the quick response. Here's a new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:39 AM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Scott\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gt.rr.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\jkkli.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [System Kernal Support] system.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [System Kernal Support] system.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124330648750
O20 - Winlogon Notify: ddccb - C:\WINDOWS\SYSTEM32\ddccb.dll
O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll
O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 07 January 2006 - 04:26 PM

STEP 1.
======
SpySweeper
Please download http://www.webroot.c....php?bjpc=64011 .
(It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
STEP 2.
======
Download Ewido
  • Download and install Ewido Security Suite It is a free trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
STEP 3.
======
Update Ewido
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use Ewido manual updates

STEP 4.
======
Ewido Scan
Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    o You will need to step through the process of cleaning files one-by-one.
    o If ewido detects a file you KNOW to be legitimate, select none as the action.
    o DO NOT select "Perform action on all infections"
    o If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


STEP 5.
======
CWShredder

Please download and run CWShredder
Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

STEP 6.
======

Please do an onlione scan here http://housecall.trendmicro.com/ and allow it to clean/remove what it finds.


Please post the results from SpySweeper, ewido and a new hijackthis log.

#7 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 07 January 2006 - 09:12 PM

Hate to be a pain, but I get "You are not authorized to view this page" when I tried to download SpySweeper. I went to the webroot site and I don't see a home/small business free trial, but I do see ths medium businees/enterprise free trial.

Edited by ScottyG, 07 January 2006 - 09:12 PM.


#8 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 07 January 2006 - 10:40 PM

Stand by.... my firewall settings were a little too tight. I'm downloading SpySweeper successfully now. I'll get back to your recommended procedure and post results soon. Thanks, Scott

#9 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 08 January 2006 - 10:22 AM

Allright... here's some results:

The SpySweeper rebooted the box while in the entity removal step, so the log file was retrieved after a reboot.

The Ewido scan had to be retried about 4 times to make it through without a Windows error that would shutdown Internet Explorer.

CWShredder was quick, but appeared to have no issues.

HouseCall scan would not kickoff and go. It would go through a a verifying and updating step, then go to idle status. I ran a system scan with my EZTrust AV software, and it was clean.

Here are the log files:

SPYSWEEPER:
********
10:45 PM: | Start of Session, Saturday, January 07, 2006 |
10:45 PM: Spy Sweeper started
10:45 PM: Sweep initiated using definitions version 597
10:45 PM: Found Trojan Horse: trojan-downloader-conhook
10:45 PM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\inprocserver32\ (2 subtraces) (ID = 1065932)
10:45 PM: ddccb.dll (ID = 1065932)
10:45 PM: Starting Memory Sweep
10:45 PM: Found Adware: exact navisearch
10:45 PM: Detected running threat: C:\WINDOWS\System32\nvms.dll (ID = 70411)
10:45 PM: Detected running threat: C:\WINDOWS\System32\mscb.dll (ID = 70399)
10:46 PM: Found Adware: virtumonde
10:46 PM: Detected running threat: C:\WINDOWS\SYSTEM32\jkkli.dll (ID = 77)
10:46 PM: Detected running threat: C:\WINDOWS\SYSTEM32\pmnll.dll (ID = 77)
10:49 PM: Memory Sweep Complete, Elapsed Time: 00:03:49
10:49 PM: Starting Registry Sweep
10:49 PM: HKCR\clsid\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\ (9 subtraces) (ID = 104006)
10:49 PM: Found Adware: blazefind
10:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/bridge.dll\ (2 subtraces) (ID = 104526)
10:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\bridge.dll (ID = 104541)
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\windows sr 2.0\ (4 subtraces) (ID = 104552)
10:49 PM: Found Adware: exact cashback/bargain buddy
10:49 PM: HKLM\software\cashback\ (1 subtraces) (ID = 105372)
10:49 PM: Found Adware: clearsearch
10:49 PM: HKCR\csbb.csbbcore.1\ (3 subtraces) (ID = 105593)
10:49 PM: HKCR\csbb.csbbcore\ (5 subtraces) (ID = 105594)
10:49 PM: HKLM\software\classes\csbb.csbbcore.1\ (3 subtraces) (ID = 105716)
10:49 PM: HKLM\software\classes\csbb.csbbcore\ (5 subtraces) (ID = 105717)
10:49 PM: HKLM\software\classes\interface\{15bf1d7c-9e2c-489c-aca0-ede133a06df5}\ (8 subtraces) (ID = 105721)
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\contextsidebar\ (ID = 105842)
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\mirrorunder\ (ID = 105843)
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ronsidebar\ (ID = 105844)
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\urlsidebar\ (ID = 105846)
10:49 PM: HKCR\typelib\{abbf650c-e69a-4c95-ba45-0f2c7c2a13a4}\ (9 subtraces) (ID = 105866)
10:49 PM: Found Adware: great net downloadware
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\medialoads enhanced\ (2 subtraces) (ID = 125363)
10:49 PM: Found Adware: internexus dialer
10:49 PM: HKLM\software\intexusdial\ (ID = 128946)
10:49 PM: HKCR\cb.urlcatcher.1\ (3 subtraces) (ID = 135553)
10:49 PM: HKCR\cb.urlcatcher\ (3 subtraces) (ID = 135554)
10:49 PM: HKCR\clsid\{ce188402-6ee7-4022-8868-ab25173a3e14}\ (9 subtraces) (ID = 135558)
10:49 PM: HKCR\nls.urlcatcher.1\ (3 subtraces) (ID = 135565)
10:49 PM: HKCR\nls.urlcatcher\ (3 subtraces) (ID = 135566)
10:49 PM: HKLM\software\classes\nls.urlcatcher.1\ (3 subtraces) (ID = 135575)
10:49 PM: HKLM\software\classes\nls.urlcatcher\ (3 subtraces) (ID = 135576)
10:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\ (ID = 135578)
10:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{ce188402-6ee7-4022-8868-ab25173a3e14}\ (ID = 135579)
10:49 PM: Found Adware: networkessentials
10:49 PM: HKCR\interface\{4438a5dc-e00b-41a0-b0e6-b63fd3b86eee}\ (8 subtraces) (ID = 136074)
10:49 PM: HKCR\mp.mediapops.1\ (3 subtraces) (ID = 136079)
10:49 PM: HKCR\mp.mediapops\ (5 subtraces) (ID = 136080)
10:49 PM: HKLM\software\classes\interface\{4438a5dc-e00b-41a0-b0e6-b63fd3b86eee}\ (8 subtraces) (ID = 136147)
10:49 PM: HKLM\software\classes\mp.mediapops\ (5 subtraces) (ID = 136152)
10:49 PM: HKLM\software\classes\typelib\{4767c447-ef15-42f2-8809-68adb7fa76f1}\ (9 subtraces) (ID = 136154)
10:49 PM: HKCR\typelib\{4767c447-ef15-42f2-8809-68adb7fa76f1}\ (9 subtraces) (ID = 136181)
10:49 PM: Found Adware: searchexe
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bmse dbl\ (2 subtraces) (ID = 140919)
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ie help\ (2 subtraces) (ID = 140920)
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\iec system\ (2 subtraces) (ID = 140921)
10:49 PM: Found Adware: starware toolbar
10:49 PM: HKCR\clsid\{2d51d869-c36b-42bd-ae68-0a81bc771fa5}\ (6 subtraces) (ID = 142841)
10:49 PM: HKCR\clsid\{7bed0340-176b-44bc-915e-c21c1dd6f617}\ (6 subtraces) (ID = 142842)
10:49 PM: HKCR\clsid\{d49e9d35-254c-4c6a-9d17-95018d228ff5}\ (4 subtraces) (ID = 142845)
10:49 PM: HKLM\software\classes\clsid\{2d51d869-c36b-42bd-ae68-0a81bc771fa5}\ (6 subtraces) (ID = 142849)
10:49 PM: HKLM\software\classes\clsid\{7bed0340-176b-44bc-915e-c21c1dd6f617}\ (6 subtraces) (ID = 142850)
10:49 PM: HKLM\software\classes\clsid\{d49e9d35-254c-4c6a-9d17-95018d228ff5}\ (4 subtraces) (ID = 142853)
10:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\starware\ (3 subtraces) (ID = 142865)
10:49 PM: HKLM\software\cashback\ (1 subtraces) (ID = 397089)
10:49 PM: HKLM\software\classes\cb.urlcatcher\ (3 subtraces) (ID = 646640)
10:49 PM: HKLM\software\classes\cb.urlcatcher.1\ (3 subtraces) (ID = 646644)
10:49 PM: HKLM\software\classes\clsid\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\ (9 subtraces) (ID = 646656)
10:49 PM: HKLM\software\classes\clsid\{ce188402-6ee7-4022-8868-ab25173a3e14}\ (9 subtraces) (ID = 646666)
10:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{ce188402-6ee7-4022-8868-ab25173a3e14}\ (ID = 646714)
10:49 PM: Found Adware: exact bullseye
10:49 PM: HKCR\typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}\ (9 subtraces) (ID = 651023)
10:49 PM: HKCR\typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516e2a3}\ (9 subtraces) (ID = 651043)
10:49 PM: HKLM\software\classes\typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516c2e3}\ (9 subtraces) (ID = 651255)
10:49 PM: HKLM\software\classes\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833627)
10:49 PM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833628)
10:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (ID = 833629)
10:49 PM: HKCR\atldistrib.atldistrib\ (9 subtraces) (ID = 1030533)
10:49 PM: HKCR\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030535)
10:49 PM: HKCR\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030537)
10:49 PM: HKCR\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030539)
10:49 PM: HKCR\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030541)
10:49 PM: HKLM\software\classes\atldistrib.atldistrib\ (9 subtraces) (ID = 1030666)
10:49 PM: HKLM\software\classes\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030668)
10:49 PM: HKLM\software\classes\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030670)
10:49 PM: HKLM\software\classes\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030672)
10:49 PM: HKLM\software\classes\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030674)
10:49 PM: HKCR\clsid\{3fe36807-69ed-45d1-b9be-85c0e3f75b6a}\ (12 subtraces) (ID = 1037004)
10:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3fe36807-69ed-45d1-b9be-85c0e3f75b6a}\ (ID = 1037057)
10:49 PM: HKLM\software\classes\clsid\{3fe36807-69ed-45d1-b9be-85c0e3f75b6a}\ (12 subtraces) (ID = 1037059)
10:49 PM: Found Adware: ebates money maker
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
10:49 PM: Found Adware: webrebates
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\menuext\web savings\ (2 subtraces) (ID = 125591)
10:49 PM: Found Adware: ieplugin
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\dsktb\ (6 subtraces) (ID = 128171)
10:49 PM: Found Adware: upspiral toolbar
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\dsktb\ (6 subtraces) (ID = 128171)
10:49 PM: Found Adware: redzip toolbar
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\dsktb\ (6 subtraces) (ID = 128171)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\intexp\ (58 subtraces) (ID = 128173)
10:49 PM: Found Adware: ieplugin hijacker
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\main\ || search bar (ID = 128214)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\main\ || search page (ID = 128215)
10:49 PM: Found Adware: 180search assistant/zango
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\msbb\ (17 subtraces) (ID = 135781)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\support software\ (8 subtraces) (ID = 136177)
10:49 PM: Found Adware: search-exe hijacker
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\search\ || searchassistant (ID = 140932)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\starware\ (12 subtraces) (ID = 142866)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\menuext\web rebates\ (2 subtraces) (ID = 146297)
10:49 PM: Found Adware: sidesearch
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1011\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1010\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1010\software\microsoft\internet explorer\menuext\web savings\ (2 subtraces) (ID = 125591)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1010\software\support software\ (11 subtraces) (ID = 136177)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1010\software\microsoft\internet explorer\search\ || searchassistant (ID = 140932)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1010\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1010\software\starware\ (12 subtraces) (ID = 142866)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1010\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1009\software\microsoft\internet explorer\menuext\web savings\ (2 subtraces) (ID = 125591)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1009\software\support software\ (8 subtraces) (ID = 136177)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1009\software\microsoft\internet explorer\search\ || searchassistant (ID = 140932)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1009\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1009\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1009\software\starware\ (12 subtraces) (ID = 142866)
10:49 PM: HKU\WRSS_Profile_S-1-5-21-3034213126-833917562-2051650550-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1008\software\support software\ (8 subtraces) (ID = 136177)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1008\software\starware\ (12 subtraces) (ID = 142866)
10:49 PM: HKU\S-1-5-21-3034213126-833917562-2051650550-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:49 PM: Registry Sweep Complete, Elapsed Time:00:00:37
10:49 PM: Starting Cookie Sweep
10:49 PM: Found Spy Cookie: sandboxer cookie
10:49 PM: kristen@0[1].txt (ID = 3282)
10:49 PM: kristen@0[3].txt (ID = 3282)
10:49 PM: Found Spy Cookie: 412 cookie
10:49 PM: kristen@412[1].txt (ID = 1969)
10:49 PM: Found Spy Cookie: 69.93.205 cookie
10:49 PM: kristen@69.93.205[2].txt (ID = 2005)
10:49 PM: Found Spy Cookie: websponsors cookie
10:49 PM: kristen@a.websponsors[2].txt (ID = 3665)
10:49 PM: Found Spy Cookie: yieldmanager cookie
10:49 PM: kristen@ad.yieldmanager[2].txt (ID = 3751)
10:49 PM: Found Spy Cookie: adecn cookie
10:49 PM: kristen@adecn[1].txt (ID = 2063)
10:49 PM: Found Spy Cookie: adlegend cookie
10:49 PM: kristen@adlegend[1].txt (ID = 2074)
10:49 PM: Found Spy Cookie: hbmediapro cookie
10:49 PM: kristen@adopt.hbmediapro[2].txt (ID = 2768)
10:49 PM: Found Spy Cookie: precisead cookie
10:49 PM: kristen@adopt.precisead[1].txt (ID = 3182)
10:49 PM: Found Spy Cookie: specificclick.com cookie
10:49 PM: kristen@adopt.specificclick[1].txt (ID = 3400)
10:49 PM: Found Spy Cookie: adrevolver cookie
10:49 PM: kristen@adrevolver[1].txt (ID = 2088)
10:49 PM: kristen@adrevolver[3].txt (ID = 2088)
10:49 PM: Found Spy Cookie: addynamix cookie
10:49 PM: kristen@ads.addynamix[1].txt (ID = 2062)
10:49 PM: Found Spy Cookie: pointroll cookie
10:49 PM: kristen@ads.pointroll[1].txt (ID = 3148)
10:49 PM: Found Spy Cookie: bpath cookie
10:49 PM: kristen@ads18.bpath[1].txt (ID = 2321)
10:49 PM: Found Spy Cookie: adultfriendfinder cookie
10:49 PM: kristen@adultfriendfinder[2].txt (ID = 2165)
10:49 PM: Found Spy Cookie: affiliate cookie
10:49 PM: kristen@affiliate[1].txt (ID = 2199)
10:49 PM: Found Spy Cookie: apmebf cookie
10:49 PM: kristen@apmebf[2].txt (ID = 2229)
10:49 PM: Found Spy Cookie: atwola cookie
10:49 PM: kristen@ar.atwola[2].txt (ID = 2256)
10:49 PM: Found Spy Cookie: ask cookie
10:49 PM: kristen@ask[1].txt (ID = 2245)
10:49 PM: Found Spy Cookie: belnk cookie
10:49 PM: kristen@ath.belnk[2].txt (ID = 2293)
10:49 PM: kristen@atwola[2].txt (ID = 2255)
10:49 PM: Found Spy Cookie: avres cookie
10:49 PM: kristen@avres[2].txt (ID = 2261)
10:49 PM: Found Spy Cookie: azjmp cookie
10:49 PM: kristen@azjmp[2].txt (ID = 2270)
10:49 PM: Found Spy Cookie: banners cookie
10:49 PM: kristen@banners[2].txt (ID = 2282)
10:49 PM: Found Spy Cookie: banner cookie
10:49 PM: kristen@banner[1].txt (ID = 2276)
10:49 PM: kristen@belnk[1].txt (ID = 2292)
10:49 PM: Found Spy Cookie: enhance cookie
10:49 PM: kristen@c.enhance[1].txt (ID = 2614)
10:49 PM: Found Spy Cookie: goclick cookie
10:49 PM: kristen@c.goclick[2].txt (ID = 2733)
10:49 PM: Found Spy Cookie: 2o7.net cookie
10:49 PM: kristen@cnn.122.2o7[1].txt (ID = 1958)
10:49 PM: Found Spy Cookie: 180solutions cookie
10:49 PM: kristen@config.180solutions[1].txt (ID = 1934)
10:49 PM: Found Spy Cookie: tickle cookie
10:49 PM: kristen@cookie.tickle[1].txt (ID = 3530)
10:49 PM: Found Spy Cookie: customer cookie
10:49 PM: kristen@customer[1].txt (ID = 2481)
10:49 PM: kristen@customer[2].txt (ID = 2481)
10:49 PM: Found Spy Cookie: overture cookie
10:49 PM: kristen@data3.perf.overture[2].txt (ID = 3106)
10:49 PM: Found Spy Cookie: directtrack cookie
10:49 PM: kristen@directtrack[1].txt (ID = 2527)
10:49 PM: Found Spy Cookie: go.com cookie
10:49 PM: kristen@disney.go[2].txt (ID = 2729)
10:49 PM: kristen@dist.belnk[2].txt (ID = 2293)
10:49 PM: Found Spy Cookie: exitexchange cookie
10:49 PM: kristen@exitexchange[1].txt (ID = 2633)
10:49 PM: Found Spy Cookie: goldenpalace cookie
10:49 PM: kristen@goldenpalace[1].txt (ID = 2734)
10:49 PM: kristen@go[1].txt (ID = 2728)
10:49 PM: Found Spy Cookie: clickandtrack cookie
10:49 PM: kristen@hits.clickandtrack[1].txt (ID = 2397)
10:49 PM: Found Spy Cookie: homestore cookie
10:49 PM: kristen@homestore[1].txt (ID = 2793)
10:49 PM: Found Spy Cookie: about cookie
10:49 PM: kristen@humor.about[1].txt (ID = 2038)
10:49 PM: Found Spy Cookie: screensavers.com cookie
10:49 PM: kristen@i.screensavers[2].txt (ID = 3298)
10:49 PM: Found Spy Cookie: incredifind cookie
10:49 PM: kristen@incredifind[2].txt (ID = 2849)
10:49 PM: kristen@installs.180solutions[1].txt (ID = 1934)
10:49 PM: Found Spy Cookie: kount cookie
10:49 PM: kristen@kount[2].txt (ID = 2911)
10:49 PM: Found Spy Cookie: netster cookie
10:49 PM: kristen@lb1.netster[1].txt (ID = 3072)
10:49 PM: kristen@media.homestore[1].txt (ID = 2794)
10:49 PM: Found Spy Cookie: ugo cookie
10:49 PM: kristen@mediamgr.ugo[2].txt (ID = 3609)
10:49 PM: kristen@msnportal.112.2o7[1].txt (ID = 1958)
10:49 PM: Found Spy Cookie: mywebsearch cookie
10:49 PM: kristen@mywebsearch[2].txt (ID = 3051)
10:49 PM: Found Spy Cookie: nextag cookie
10:49 PM: kristen@nextag[1].txt (ID = 5014)
10:49 PM: Found Spy Cookie: offeroptimizer cookie
10:49 PM: kristen@offeroptimizer[1].txt (ID = 3087)
10:49 PM: kristen@overture[2].txt (ID = 3105)
10:49 PM: kristen@perf.overture[1].txt (ID = 3106)
10:49 PM: kristen@psc.disney.go[1].txt (ID = 2729)
10:49 PM: kristen@rapidresponse.directtrack[2].txt (ID = 2528)
10:49 PM: Found Spy Cookie: rednova cookie
10:49 PM: kristen@rednova[1].txt (ID = 3245)
10:49 PM: Found Spy Cookie: rightmedia cookie
10:49 PM: kristen@rightmedia[2].txt (ID = 3259)
10:49 PM: Found Spy Cookie: server.iad.liveperson cookie
10:49 PM: kristen@server.iad.liveperson[2].txt (ID = 3341)
10:49 PM: Found Spy Cookie: servlet cookie
10:49 PM: kristen@servlet[1].txt (ID = 3345)
10:49 PM: Found Spy Cookie: spywarestormer cookie
10:49 PM: kristen@spywarestormer[1].txt (ID = 3417)
10:50 PM: Found Spy Cookie: reliablestats cookie
10:50 PM: kristen@stats1.reliablestats[1].txt (ID = 3254)
10:50 PM: kristen@tickle[2].txt (ID = 3529)
10:50 PM: Found Spy Cookie: tracking cookie
10:50 PM: kristen@tracking[1].txt (ID = 3571)
10:50 PM: Found Spy Cookie: coremetrics cookie
10:50 PM: kristen@twci.coremetrics[1].txt (ID = 2472)
10:50 PM: Found Spy Cookie: uproar cookie
10:50 PM: kristen@uproar[2].txt (ID = 3612)
10:50 PM: kristen@web.tickle[1].txt (ID = 3530)
10:50 PM: Found Spy Cookie: webservicehosts cookie
10:50 PM: kristen@webservicehosts[2].txt (ID = 3662)
10:50 PM: Found Spy Cookie: affiliatefuel.com cookie
10:50 PM: kristen@www.affiliatefuel[1].txt (ID = 2202)
10:50 PM: kristen@www.disney.go[1].txt (ID = 2729)
10:50 PM: kristen@www.goldenpalace[1].txt (ID = 2735)
10:50 PM: kristen@www.rednova[1].txt (ID = 3246)
10:50 PM: kristen@www.screensavers[1].txt (ID = 3298)
10:50 PM: Found Spy Cookie: toprebates.com cookie
10:50 PM: kristen@www.toprebates[2].txt (ID = 3562)
10:50 PM: Found Spy Cookie: yadro cookie
10:50 PM: kristen@yadro[1].txt (ID = 3743)
10:50 PM: kristen@yieldmanager[2].txt (ID = 3749)
10:50 PM: tyler@ad.yieldmanager[1].txt (ID = 3751)
10:50 PM: tyler@adopt.specificclick[2].txt (ID = 3400)
10:50 PM: tyler@ask[1].txt (ID = 2245)
10:50 PM: tyler@atwola[1].txt (ID = 2255)
10:50 PM: tyler@stats1.reliablestats[2].txt (ID = 3254)
10:50 PM: kim@ad.yieldmanager[1].txt (ID = 3751)
10:50 PM: kim@adopt.specificclick[1].txt (ID = 3400)
10:50 PM: kim@adrevolver[2].txt (ID = 2088)
10:50 PM: kim@adrevolver[3].txt (ID = 2088)
10:50 PM: kim@ads.addynamix[1].txt (ID = 2062)
10:50 PM: kim@ads.pointroll[2].txt (ID = 3148)
10:50 PM: kim@apmebf[2].txt (ID = 2229)
10:50 PM: kim@ask[2].txt (ID = 2245)
10:50 PM: kim@ath.belnk[1].txt (ID = 2293)
10:50 PM: kim@atwola[1].txt (ID = 2255)
10:50 PM: kim@azjmp[2].txt (ID = 2270)
10:50 PM: kim@banner[1].txt (ID = 2276)
10:50 PM: kim@belnk[2].txt (ID = 2292)
10:50 PM: kim@cnn.122.2o7[1].txt (ID = 1958)
10:50 PM: kim@cookie.tickle[1].txt (ID = 3530)
10:50 PM: Found Spy Cookie: 360i cookie
10:50 PM: kim@ct.360i[2].txt (ID = 1962)
10:50 PM: kim@dist.belnk[1].txt (ID = 2293)
10:50 PM: kim@overture[2].txt (ID = 3105)
10:50 PM: kim@perf.overture[1].txt (ID = 3106)
10:50 PM: kim@server.iad.liveperson[2].txt (ID = 3341)
10:50 PM: kim@stats1.reliablestats[1].txt (ID = 3254)
10:50 PM: kim@tickle[2].txt (ID = 3529)
10:50 PM: kim@tracking[2].txt (ID = 3571)
10:50 PM: kim@twci.coremetrics[1].txt (ID = 2472)
10:50 PM: Found Spy Cookie: burstbeacon cookie
10:50 PM: kim@www.burstbeacon[1].txt (ID = 2335)
10:50 PM: Found Spy Cookie: web-stat cookie
10:50 PM: kim@www.web-stat[2].txt (ID = 3649)
10:50 PM: scott@ads.pointroll[2].txt (ID = 3148)
10:50 PM: Found Spy Cookie: sharewareonline cookie
10:50 PM: scott@adserver.sharewareonline[1].txt (ID = 3366)
10:50 PM: scott@apmebf[1].txt (ID = 2229)
10:50 PM: scott@atwola[1].txt (ID = 2255)
10:50 PM: scott@cnn.122.2o7[1].txt (ID = 1958)
10:50 PM: scott@data3.perf.overture[2].txt (ID = 3106)
10:50 PM: scott@nextag[1].txt (ID = 5014)
10:50 PM: Found Spy Cookie: partypoker cookie
10:50 PM: scott@partypoker[2].txt (ID = 3111)
10:50 PM: scott@perf.overture[1].txt (ID = 3106)
10:50 PM: Found Spy Cookie: qsrch cookie
10:50 PM: scott@qsrch[1].txt (ID = 3215)
10:50 PM: scott@stats1.reliablestats[2].txt (ID = 3254)
10:50 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
10:50 PM: Starting File Sweep
10:50 PM: c:\documents and settings\kristen\application data\starware (47 subtraces) (ID = -2147480225)
10:50 PM: c:\documents and settings\tyler\application data\starware (45 subtraces) (ID = -2147480225)
10:50 PM: c:\documents and settings\kristen\local settings\temp\fleok (ID = -2147480558)
10:50 PM: c:\program files\support software (ID = -2147480532)
10:50 PM: c:\documents and settings\all users\application data\starware (18 subtraces) (ID = -2147480224)
10:50 PM: c:\program files\starware (6 subtraces) (ID = -2147480223)
10:50 PM: c:\documents and settings\kristen\local settings\temp\clrsch (ID = -2147481250)
10:50 PM: c:\program files\websavingsfromebates (31 subtraces) (ID = -2147481067)
10:50 PM: c:\documents and settings\kim\application data\starware (45 subtraces) (ID = -2147480225)
10:50 PM: c:\program files\se (4 subtraces) (ID = -2147480358)
10:50 PM: c:\program files\medialoads (173 subtraces) (ID = -2147481081)
10:50 PM: c:\documents and settings\scott\application data\starware (45 subtraces) (ID = -2147480225)
10:51 PM: Found Adware: comet cursor
10:51 PM: dm.inf (ID = 53551)
10:52 PM: Found Adware: ist yoursitebar
10:52 PM: ysbactivex.dll (ID = 133888)
10:55 PM: res11e.tmp (ID = 70500)
10:56 PM: Found Adware: elitemediagroup-mediamotor
10:56 PM: mm20.inf (ID = 74036)
10:57 PM: resaf.tmp (ID = 70507)
11:03 PM: unstsa2.exe (ID = 51496)
11:04 PM: msbb.exe (ID = 70556)
11:04 PM: ncmyb.dll (ID = 70584)
11:04 PM: bargain3.exe (ID = 50540)
11:04 PM: Found Trojan Horse: trojan downloader sysupdates
11:04 PM: wsebate1.exe (ID = 80968)
11:05 PM: nvms.dll (ID = 70411)
11:05 PM: mscb.dll (ID = 70399)
11:05 PM: omniband.dll (ID = 111868)
11:07 PM: rgrt.exe (ID = 63365)
11:07 PM: bidulator.exe (ID = 115242)
11:08 PM: cdt_bbi8016.exe (ID = 50582)
11:08 PM: delb.tmp (ID = 70620)
11:08 PM: djebmm350.exe (ID = 59578)
11:08 PM: delaf.tmp (ID = 70620)
11:08 PM: zangoinstaller.exe (ID = 184234)
11:10 PM: axuninstall.exe (ID = 111862)
11:10 PM: bm.dat (ID = 74957)
11:10 PM: dwcg2.exe (ID = 59299)
11:11 PM: mmaker2.exe (ID = 59683)
11:11 PM: key2.txt (ID = 51468)
11:13 PM: roing17.ocx (ID = 74133)
11:13 PM: roing17.ocx (ID = 74133)
11:13 PM: Found Adware: twain-tech
11:13 PM: twaintec.inf (ID = 81888)
11:13 PM: Found Adware: directrevenue-abetterinternet
11:13 PM: alchem.inf (ID = 83109)
11:13 PM: alchem.ini (ID = 83112)
11:13 PM: twaintec.inf (ID = 81889)
11:13 PM: twaintec.inf (ID = 81889)
11:13 PM: Found Adware: ezsearchbar
11:13 PM: ctadl.inf (ID = 60336)
11:13 PM: alchem.inf (ID = 83109)
11:13 PM: twaintec.inf (ID = 81889)
11:14 PM: File Sweep Complete, Elapsed Time: 00:24:24
11:14 PM: Full Sweep has completed. Elapsed time 00:29:07
11:14 PM: Traces Found: 1173
11:15 PM: Removal process initiated
11:20 PM: Quarantining All Traces: 180search assistant/zango
11:20 PM: Quarantining All Traces: clearsearch
11:20 PM: Quarantining All Traces: directrevenue-abetterinternet
11:20 PM: Quarantining All Traces: virtumonde
11:20 PM: virtumonde is in use. It will be removed on reboot.
11:20 PM: C:\WINDOWS\SYSTEM32\jkkli.dll is in use. It will be removed on reboot.
11:20 PM: C:\WINDOWS\SYSTEM32\pmnll.dll is in use. It will be removed on reboot.
11:20 PM: Quarantining All Traces: blazefind
11:20 PM: Quarantining All Traces: comet cursor
11:20 PM: Quarantining All Traces: searchexe
11:20 PM: Quarantining All Traces: sidesearch
11:21 PM: Quarantining All Traces: starware toolbar
11:21 PM: Quarantining All Traces: trojan downloader sysupdates
11:21 PM: Quarantining All Traces: trojan-downloader-conhook
11:21 PM: trojan-downloader-conhook is in use. It will be removed on reboot.
11:21 PM: ddccb.dll is in use. It will be removed on reboot.
11:21 PM: Quarantining All Traces: ebates money maker
11:21 PM: Quarantining All Traces: elitemediagroup-mediamotor
11:21 PM: Quarantining All Traces: exact bullseye
11:21 PM: Quarantining All Traces: exact cashback/bargain buddy
11:21 PM: Quarantining All Traces: exact navisearch
11:22 PM: exact navisearch is in use. It will be removed on reboot.
11:22 PM: nvms.dll is in use. It will be removed on reboot.
11:22 PM: mscb.dll is in use. It will be removed on reboot.
11:22 PM: Quarantining All Traces: ezsearchbar
11:22 PM: Quarantining All Traces: great net downloadware
11:22 PM: Quarantining All Traces: ieplugin hijacker
11:22 PM: Quarantining All Traces: ieplugin
11:22 PM: Quarantining All Traces: internexus dialer
11:22 PM: Quarantining All Traces: ist yoursitebar
11:22 PM: Quarantining All Traces: networkessentials
11:22 PM: Quarantining All Traces: redzip toolbar
11:22 PM: Quarantining All Traces: search-exe hijacker
11:22 PM: Quarantining All Traces: twain-tech
11:22 PM: Quarantining All Traces: upspiral toolbar
11:22 PM: Quarantining All Traces: webrebates
11:22 PM: Quarantining All Traces: 180solutions cookie
11:22 PM: Quarantining All Traces: 2o7.net cookie
11:22 PM: Quarantining All Traces: 360i cookie
11:22 PM: Quarantining All Traces: 412 cookie
11:22 PM: Quarantining All Traces: 69.93.205 cookie
11:22 PM: Quarantining All Traces: about cookie
11:22 PM: Quarantining All Traces: addynamix cookie
11:22 PM: Quarantining All Traces: adecn cookie
11:22 PM: Quarantining All Traces: adlegend cookie
11:22 PM: Quarantining All Traces: adrevolver cookie
11:22 PM: Quarantining All Traces: adultfriendfinder cookie
11:22 PM: Quarantining All Traces: affiliate cookie
11:22 PM: Quarantining All Traces: affiliatefuel.com cookie
11:22 PM: Quarantining All Traces: apmebf cookie
11:22 PM: Quarantining All Traces: ask cookie
11:22 PM: Quarantining All Traces: atwola cookie
11:22 PM: Quarantining All Traces: avres cookie
11:22 PM: Quarantining All Traces: azjmp cookie
11:22 PM: Quarantining All Traces: banner cookie
11:22 PM: Quarantining All Traces: banners cookie
11:22 PM: Quarantining All Traces: belnk cookie
11:22 PM: Quarantining All Traces: bpath cookie
11:22 PM: Quarantining All Traces: burstbeacon cookie
11:22 PM: Quarantining All Traces: clickandtrack cookie
11:22 PM: Quarantining All Traces: coremetrics cookie
11:22 PM: Quarantining All Traces: customer cookie
11:22 PM: Quarantining All Traces: directtrack cookie
11:22 PM: Quarantining All Traces: enhance cookie
11:22 PM: Quarantining All Traces: exitexchange cookie
11:22 PM: Quarantining All Traces: go.com cookie
11:22 PM: Quarantining All Traces: goclick cookie
11:22 PM: Quarantining All Traces: goldenpalace cookie
11:22 PM: Quarantining All Traces: hbmediapro cookie
11:22 PM: Quarantining All Traces: homestore cookie
11:22 PM: Quarantining All Traces: incredifind cookie
11:22 PM: Quarantining All Traces: kount cookie
11:22 PM: Quarantining All Traces: mywebsearch cookie
11:22 PM: Quarantining All Traces: netster cookie
11:22 PM: Quarantining All Traces: nextag cookie
11:22 PM: Quarantining All Traces: offeroptimizer cookie
11:22 PM: Quarantining All Traces: overture cookie
11:22 PM: Quarantining All Traces: partypoker cookie
11:22 PM: Quarantining All Traces: pointroll cookie
11:22 PM: Quarantining All Traces: precisead cookie
11:22 PM: Quarantining All Traces: qsrch cookie
11:22 PM: Quarantining All Traces: rednova cookie
11:22 PM: Quarantining All Traces: reliablestats cookie
11:22 PM: Quarantining All Traces: rightmedia cookie
11:22 PM: Quarantining All Traces: sandboxer cookie
11:22 PM: Quarantining All Traces: screensavers.com cookie
11:22 PM: Quarantining All Traces: server.iad.liveperson cookie
11:22 PM: Quarantining All Traces: servlet cookie
11:22 PM: Quarantining All Traces: sharewareonline cookie
11:22 PM: Quarantining All Traces: specificclick.com cookie
11:22 PM: Quarantining All Traces: spywarestormer cookie
11:22 PM: Quarantining All Traces: tickle cookie
11:22 PM: Quarantining All Traces: toprebates.com cookie
11:22 PM: Quarantining All Traces: tracking cookie
11:22 PM: Quarantining All Traces: ugo cookie
11:22 PM: Quarantining All Traces: uproar cookie
11:22 PM: Quarantining All Traces: webservicehosts cookie
11:22 PM: Quarantining All Traces: websponsors cookie
11:22 PM: Quarantining All Traces: web-stat cookie
11:22 PM: Quarantining All Traces: yadro cookie
11:22 PM: Quarantining All Traces: yieldmanager cookie
11:23 PM: Warning: The media is write protected
********
10:43 PM: | Start of Session, Saturday, January 07, 2006 |
10:43 PM: Spy Sweeper started
10:44 PM: Your spyware definitions have been updated.
10:45 PM: | End of Session, Saturday, January 07, 2006 |

EWIDO:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:50:29 AM, 1/8/2006
+ Report-Checksum: A3D81330

+ Scan result:

C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wfk4oid5mfq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wfkokmajklo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wfkyqocjkfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wflocldpiao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wflyukd5cgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wflywnczolq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wfmighc5oep.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wfmycmcjwko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wgkiqkdpado.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjk4glajsdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjk4ukczibq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjkyakczwfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjkyggdpgbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjkyopdpefo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjkysgdzidq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjlicmcjslp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjlikpcpkeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjliskazwhp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjliskcpcho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjlisocjibp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjlyemdzwbq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjmiclajmbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjny-1odjsd.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjnyapazcdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjnycnajmhp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjnycpdjwfq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjnygpdzwlp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@e-2dj6wjnyolc5obo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@ehg-hyundaiusa.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@ehg-nestleusainc.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@ehg-newscientist.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@ehg-pfizer.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@ehg-rr.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kim\Cookies\kim@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@ads.specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@ads.x10[1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@ehg-rr.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@media.fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@twci.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Kim\Local Settings\Temp\Cookies\kim@z1.adserver[2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\0m3zq399.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@ehg-zentropypartners.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\cln3E.tmp -> Downloader.Dyfuca.cq : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@hg1.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@media.fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Scott\Local Settings\Temp\Cookies\scott@web4.realtracker[2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\CoolSpeech\Realtime.dll -> Backdoor.Delf.eb : Cleaned with backup
C:\Program Files\WildTangent\Components\SystemConfig0100.dll -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Zango Games\David vs Goliath\ZangoInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Zango Games\David vs Goliath\ZangoInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP645\A0410448.exe -> Spyware.BlazeFind : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP645\A0410449.dll -> Spyware.BlazeFind : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP645\A0410450.exe -> Dropper.Delf.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP645\A0410453.exe -> Spyware.BargainBuddy.f : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP645\A0410454.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP645\A0410455.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP645\A0410457.exe -> Adware.ShopNav : Cleaned with backup
C:\WINDOWS\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\ddcyv.dll -> Downloader.ConHook.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\geeby.dll -> Downloader.ConHook.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\pmkhe.dll -> Downloader.ConHook.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\pmnnk.dll -> Downloader.ConHook.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\vturp.dll -> Downloader.ConHook.r : Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End


HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:08 AM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Documents and Settings\Scott\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [System Kernal Support] system.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [System Kernal Support] system.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124330648750
O20 - Winlogon Notify: ddccb - ddccb.dll (file missing)
O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: Kodak Camera Connection Sof

Edited by ScottyG, 08 January 2006 - 10:24 AM.


#10 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 08 January 2006 - 10:27 AM

Scan with hijackthis (close all browser windows) then put a check beside these lines and choose FIX R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file) O2 - BHO: (no name) - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - (no file) O4 - HKLM\..\Run: [System Kernal Support] system.exe O4 - HKLM\..\RunServices: [System Kernal Support] system.exe O20 - Winlogon Notify: ddccb - ddccb.dll (file missing) O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll (file missing) Then reboot and post a new hijackthis log please.

    Advertisements

Register to Remove


#11 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 08 January 2006 - 10:53 AM

Here you go:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:14 AM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Scott\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124330648750
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#12 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 08 January 2006 - 10:57 AM

Have hijackthis fix this line R3 - Default URLSearchHook is missing Then reboot and a newe log. How is it running after the reboot?

#13 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 08 January 2006 - 11:21 AM

I just had my daughter try it out and one of her sites wouldn't load correctly due to not having Macromedia Flash8, which WAS recently put on this machine. I assume you don't want me to load any new stuff, so I didn't load it.

I haven't seen WinFixer pop up (which is the main issue), but I'm not really happy with the "sluggishness" of the box in general, which doesn't seem to be any better or worse since I've been working with you.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:45 AM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Scott\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124330648750
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Edited by ScottyG, 08 January 2006 - 11:22 AM.


#14 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 08 January 2006 - 11:24 AM

Well looks like we got the infections off the system :)

Lets do some cleaning.

Download ccleaner from the link below, save it to your desktop. Open ccleaner and click on run ccleaner at the bottom right.

http://www.majorgeek...wnload4191.html

Next download Regseeker from the link below. Save it to your destop. Open Regseeker and click on clean registry, next click ok. Once the scan is complete make sure the make backups is checked and then select all and delete it.

http://www.majorgeek...wnload2579.html

Next you neeed to clean out your system restore. You can do that by turning it off then back on

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.


1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Then a reboot and a final hijackthis log please.

#15 ScottyG

ScottyG

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 09 January 2006 - 10:34 AM

I'm at work, so it will be this evening (Central time) before I can get back to you. Thanks, Scott

Related Topics



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users