WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please take a look at this "hijack this" log

Started by Longhorn28 , Mar 13 2006 12:12 PM

This topic is locked

9 replies to this topic

#1 Longhorn28

New Member

New Member
5 posts

Posted 13 March 2006 - 12:12 PM

Below is my log. At first I thought Zeno sypware was the problem, but now my spyware doctor is saying that the computer tries to access "qklinkserver" a lot. Help would be greatly apprecaited.

Logfile of HijackThis v1.99.1
Scan saved at 12:00:39 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134570768\ee\AOLSoftware.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\??crosoft\cmd.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Lisch\Desktop\hijackthis[1]\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nss38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Yvakt Class - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - C:\WINDOWS\system32\y7xnyala7.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134570768\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zGSl] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Rspvu] C:\Program Files\Common Files\??crosoft\cmd.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileelimi... Eliminator.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\system32\y7xnyala7.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: WUSB54GSVC - Unknown owner - C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe (file missing)

Thanks!
David

Advertisements

Register to Remove

#2 Piatan

SuperMember

Authentic Member
1,825 posts

Posted 19 March 2006 - 03:07 PM

Hi Longhorn28:

Looks like you have a Cool Web Search infestation and a few others as well.

Please download CWShredder, from one of the following sites.
http://www.trendmicr.../cwshredder.exe
http://www.majorgeek...dder_d3019.html
http://intermute.com...r_download.html

First, be sure to update CWShredder.
Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop.
Click Fix and then Next, let it fix everything it asks about.
Then, please reboot.

Next:
Please install, update, then configure Ad-Aware SE to the following directions. If you already have Ad-Aware SE, be sure to first update it , configure it to do a full systems scan, then run it and let it remove anything it asks about.
Install and how to use Ad-aware SE
http://www.bleepingc...showtutorial=48

After finishing with Ad-Aware SE, please reboot.

Next:
Please set your system to show all files; please see here if you're unsure how to do this.

Disable Microsoft AntiSpyware:
We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware
Click on Tools, Settings.
In the left pane, click on Real-time Protection
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Disable Spyware Doctor:
Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:

Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck Run at Windows startup.
Click Apply and Exit Spyware Doctor

Once your log is clean you can re-enable Spyware Doctor.

Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nss38.dll
O2 - BHO: Yvakt Class - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - C:\WINDOWS\system32\y7xnyala7.dll
O4 - HKLM\..\Run: [zGSl] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe" -vt ndrv
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileelimi... Eliminator.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\system32\y7xnyala7.dll

Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them:

C:\WINDOWS\system32\nss38.dll
C:\WINDOWS\system32\y7xnyala7.dll
C:\WINDOWS\system32\slk8x2peu.exe

Please Note: The following is a Program, so must also be Uninstalled/Removed in Control Panel-->Add/Remove Programs.
C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe

Exit Explorer, enable hidden files and reboot as normal.

If you were unable to find, or delete any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Next:
Please download, install, update and scan your system with the free version of Ewido trojan scanner:[list=1]
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
[*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file.
Please save the Ewido report, to be posted here later.

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

The trial version of Ewido works like a full featured version for 14 days, after that the only features that will not work are, autoupdate and realtime protection. It will still be able to be updated with the link above and be used to scan and remove undesirables.

Then, please run Hijack This again. Scan and copy the log and post it into this topic, along with the Ewido report.

Please advise if any problems remain.

To post, please use the Add Reply feature, so I will be notified.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

#3 Longhorn28

New Member

New Member
5 posts

Posted 20 March 2006 - 09:06 AM

Thanks for the help!

-A few thing though. I did as you said, until the reboot in safe mode part. I currently have a microsoft wireless keyboard and mouse, and after I checked the requested items in HijackThis, and then deleted them and rebooted the computer, it came up with a "keyboard failure". I plugged my old keyboard and mouse (both USB, but used a converter for the mouse) back into the computer, and the mouse worked, but the keyboard did not. I tried a converter on both, and only the mouse still worked. I finally plugged the keyboard into the USB in the back of the computer, and the USB mouse into a USB port on the keyboard and they both work.

-For some reason, it still says keyboard failure during boot up, but runs ok once windows starts. This disables me to get the computer to run in safe mode.

Below is a new Hijackthis log, and it seems that some (if not most) of the bugs are gone. For now, I have re-enabled all real-time protection again.

Logfile of HijackThis v1.99.1
Scan saved at 8:49:06 AM, on 3/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134570768\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\??crosoft\cmd.exe
C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Lisch\Desktop\hijackthis[1]\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134570768\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Rspvu] C:\Program Files\Common Files\??crosoft\cmd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: WUSB54GSVC - Unknown owner - C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe (file missing)

Thanks!!

#4 Longhorn28

New Member

New Member
5 posts

Posted 20 March 2006 - 09:10 AM

One last thing, I checked in windows explorer for the files you wanted me to delete while in safe mode, and the first one is not there, but the last 2 are (y7xnyala7.dll, slk8x2peu.exe). If i cannot get into safe mode, do you want me to delete this in normal windows, where I have administrator privileges? -Longhorn28

#5 Piatan

SuperMember

Authentic Member
1,825 posts

Posted 20 March 2006 - 11:59 AM

The following link will provide you with an optional method for booting into Safe Mode.
Please use the method described for your particular Operating System.

http://service1.syma...src=sec_doc_nam

Having problems doing anything after getting into SAFE MODE ?

After booting in "safe mode", push these three keys at the same time:

<Ctrl><Alt><Del>

The task manager appears on the screen.

Click on the Applications tab, then click New task.

Then click on Browse. You can then go to the Program needed.

If this is successful, please continue on with the suggestions as given in my previous post.

After finishing, I would like to see a fresh Hijack This log and the Ewido report, please.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

#6 Longhorn28

New Member

New Member
5 posts

Posted 21 March 2006 - 10:38 PM

Here is the log file after completing all of your steps. The only problem i had was when i ran Ewido, it said this " The file "c:\documents and settings\david lisch\local settings\temp\E7B31.tmp/zj6n.exe" cannot be removed because it is embedded in the archive "c:\documents and settings\david lisch\local settings\temp\E7B31.tmp" Do you want to remove the whole archive?"...I told it not to because i did not know what this file is. Please advise on what to do.

thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:29:33 PM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134570768\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Traymon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\David Lisch\Desktop\hijackthis[1]\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134570768\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Rspvu] C:\Program Files\Common Files\??crosoft\cmd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: WUSB54GSVC - Unknown owner - C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe (file missing)

#7 Piatan

SuperMember

Authentic Member
1,825 posts

Posted 22 March 2006 - 11:57 AM

Hi Longhorn28

Good job. You did fine and the entry Ewido reported should be removed, when we delete the "temp" files from your PC. I really do need to see an Ewido report, so please include a fresh one with your next post.

Please print, or copy and paste this text into a Notepad file and place it on your desktop, to review as you work.

Please set your system to show all files; please see here if you're unsure how to do this.

Disable Microsoft AntiSpyware:
We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware
Click on Tools, Settings.
In the left pane, click on Real-time Protection
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck Run at Windows startup.
Click Apply and Exit Spyware Doctor

Once your log is clean you can re-enable Spyware Doctor.

Disable Ewido:
Please disable Ewido, as it may interfere with the fix.[br]To disable Ewido:
From the system tray:

Right-click the system tray icon and uncheck real time protection.
or From within Ewido -
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.

Once your log is clean you can re-enable Ewido.

Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following.

O4 - HKCU\..\Run: [Rspvu] C:\Program Files\Common Files\??crosoft\cmd.exe

Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them:

C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe
C:\Program Files\Common Files\??crosoft\cmd.exe

Exit Explorer, enable hidden files and reboot as normal.

If you were unable to find, or delete any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Next:
Boot into SAFE MODE:
To restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Next:
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

(When finished, remember to return and place a check on "Hide protected operating system files" Click Apply and then OK.)

Then, in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\(EVERY Listed USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Also delete "COOKIES". Click Apply then OK.

Then reboot into NORMAL MODE.

Then, please run Ewido again and save the report, to be posted into this topic.

Then, please run Hijack This again. Scan and copy the log and post it into this topic, along with the Ewido report.

Please advise if any problems remain.

To post, please use the Add Reply feature, so I will be notified.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

#8 Longhorn28

New Member

New Member
5 posts

Posted 22 March 2006 - 11:55 PM

I followed the instructions, but could not find these files:
C:\PROGRA~1\COMMON~1\YSTEM~1\dvdplay.exe
C:\Program Files\Common Files\??crosoft\cmd.exe

and when i put the 1st one (using "system" and not "ystem~1") into pocket killbox, it gave me this message : "PendingFileRenameOperations Registry Data has been Removed by External Process!". I did not try for the 2nd one because I didn't know what "??crosoft" meant.

Here is the ewido log from the last post, where i forgot to include it: (below this is the latest ewido log, after doing your comments above)
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:26:24 PM, 3/21/2006
+ Report-Checksum: C8581444

+ Scan result:

HKLM\SOFTWARE\Classes\msielink.relatedlinksProtocol -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\msielink.relatedlinksProtocol\Clsid -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
[252] C:\Program Files\Common Files\Міcrosoft\cmd.exe -> Adware.PurityScan : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@a-1shz2prbmdj6wvny-1sez2pra2dj6wjmyokdpwloq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@click.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfk4anczskq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfk4gjcpibp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfk4old5cfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfk4qjdpadp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfk4ugc5mdp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfk4wlcpseq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfk4wmcpclq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkiaiajigo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkiamcpgdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkiaoajkkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkiaod5ocp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkiokc5ido.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkiukazwcp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkoajazago.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkoakcjmdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkoapd5who.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkokmd5ifo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkoogdzkao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkouhcjwgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkoupdjegp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkykocjeap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkykod5aaq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkysoazwhq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfkyugazccp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfliaiczwgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wflickdzeeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfliendjwbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfligkd5mgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfligodjwgp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wflikkcpodo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfliqhdjsap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfloandzibp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfloeld5mfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfloeodzmlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wflowpczkap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfmikkc5acp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfmiomcpacp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wfmiqlc5icp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wgkoaiczgko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wgkoaoczkgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wgkoujc5efp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wgkywncpwcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4cld5ggp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4ggcjshp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4ghc5sgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4kidzcaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4qncjccp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4qndjwep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4sodjmgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4ujazaep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4wnazwdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjk4wndpkbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkoaldjokq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkognd5abp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkokidjcdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkokmd5gkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkoogdzslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkoold5ago.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkooocpidq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkosnczsho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkouicjcgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkouod5ecq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkowjajcbo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyaidjmlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyehdzoap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyeidpmap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyeldzabo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyglcpido.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkygoazoeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyklajalo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyopdpmkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyqpajsdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkysgdjado.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkysocpkcp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyuid5ckp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyulajibo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjkyuncjcko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjl4ajajkbq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjl4gmd5eap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjl4kkc5wep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjl4klcjeeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjl4onczcdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjl4smajifp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjl4wid5skp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlialcjibo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlicmajihq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlicodzgfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjliqmc5wkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjliqmcjcbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjliuiazsdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjliwpcjodo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjloaodzifp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlocgd5alo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlokhajmdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlokoazeho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlospc5mao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlyakc5wbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlygidpmgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlykpajeeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlyogcjcdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlyogd5keo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlyqhazgep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlyskd5wap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlyund5elp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlywodjifo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmikjczgcq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmisodjmcp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmiuicjsep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmiulcpago.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmiwpcpslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmycidjohp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmyegdpkep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmyggdzcgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmygicjogq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmykkazcfq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmyoiazofp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmyqiazmeq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmyuicjchq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjmyuodpihq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjny-1jdzsc.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjny-1ndjcb.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjny-1ndjeh.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjny-1pdjcg.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyajazifo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyaldpelo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyclcpaeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnycmazgcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnycpd5abq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyenc5slo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyepczsgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnygjcpsho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnygmajmdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyohc5sko.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyqpazmao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyqpcjggp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnysiczsdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyuhczshp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyuicpogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjnyuodzckp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@www.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@www2.click2begin[2].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@www3.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@www4.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@www5.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@www6.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4wjd5kfpwqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkickcjgepamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkykjd5seoaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmikjczgfowydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmycmajsbogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyegdpseqqqdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\David Lisch\Local Settings\Temp\!update.exe -> Downloader.PurityScan.bw : Cleaned with backup
C:\Documents and Settings\David Lisch\Local Settings\Temp\Cookies\david lisch@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\David Lisch\Local Settings\Temp\E7B31.tmp/zj6n.exe -> Trojan.Runner.h : Error during cleaning
C:\Documents and Settings\David Lisch\Local Settings\Temporary Internet Files\Content.IE5\OJE5M1GR\!update-3595[1].0000 -> Downloader.PurityScan.bw : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@a.tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@ads49.bpath[2].txt -> TrackingCookie.Bpath : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@adserv.internetfuel[2].txt -> TrackingCookie.Internetfuel : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@centrport[2].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@clickagents[2].txt -> TrackingCookie.Clickagents : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@count.xhit[1].txt -> TrackingCookie.Xhit : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter10.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter11.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter12.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter15.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter2.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter5.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter6.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@free.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@mediatrack.popupsponsor[2].txt -> TrackingCookie.Popupsponsor : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@popupsponsor[1].txt -> TrackingCookie.Popupsponsor : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@premiumnetworkrocks.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@programs.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@rccl.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@server4.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@sexcounter[1].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@tracking.g3x[2].txt -> TrackingCookie.G3x : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@www1.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@www7.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\New\Cookies\new@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\My Downloads\Temp Music Holding Folder\Command And Conquer The First Decade Read Nfo Clonedvd Mirror.zip/Setup.exe -> Worm.VB.dw : Error during cleaning
C:\Program Files\Common Files\Міcrosoft\cmd.exe -> Adware.PurityScan : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\777FD088-3B98-4F98-B8F1-E1BE14\873D7CAF-B096-4403-9EEF-E6E86B -> Adware.NavExcel : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E5A7F784-695E-4597-B07F-73A7AB\0683EDBF-F999-4539-8F03-AD42B3 -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1130\A0169786.exe -> Downloader.Qoologic.al : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1130\A0169787.dll -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1130\A0169804.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\SYSTEM32\zj6n.exe -> Trojan.Runner.h : Cleaned with backup

::Report End

here it is from the newest post:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:39:06 PM, 3/22/2006
+ Report-Checksum: E21A929D

+ Scan result:

C:\Documents and Settings\David Lisch\Cookies\david lisch@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@e-2dj6wjlywnazkcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Lisch\Cookies\david lisch@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\S-1-5-21-448486026-2966927733-1597234714-1006\Dc937.exe -> Adware.ZenoSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-448486026-2966927733-1597234714-500\Dc1473.tmp/zj6n.exe -> Trojan.Runner.h : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1132\A0169894.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1132\A0169942.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1135\A0170035.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1140\A0171402.exe -> Adware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1140\A0171404.exe -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1140\A0171405.exe -> Trojan.Runner.h : Cleaned with backup

::Report End

Here is the latest Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 11:49:32 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134570768\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Lisch\Desktop\hijackthis[1]\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134570768\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: WUSB54GSVC - Unknown owner - C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe (file missing)

(I am not seeing very many problems anymore. at most, there are a few pop ups every now and then, but nothing like before. I really appreciate the help!!!)
Thanks!!

#9 Piatan

SuperMember

Authentic Member
1,825 posts

Posted 23 March 2006 - 10:47 AM

Hi Longhorn28, you're welcome.

It looks like Ewido picked up that "??crosoft" file, which was Purityscan adware, so no worries there. Those question marks in the file name could be any letters, so the file needs to be RIGHT CLICKED and check properties, which will sometimes give the name of the manufacturer, file size and other information, which will usually allow you to make an informed decision.

For those popups, I recommend switching to Firefox, to use as your primary browser. It is much safer to use to surf the net and includes its own excellent popup stopper. There is also a Google Toolbar available for Firefox, which also includes a popup stopper. Using both is highly recommended.

Take note, if you do use Firefox as your primary browser, IE will still need to be kept updated regularly.

Your Hijack This log came back clean.
If there are no continuing issues, I recommend the following.

One of the best features of Windows XP is the System Restore option, however if Malware infects a computer with this operating system the Malware can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
-reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
And also see TonyKlein's good advice
<http://castlecops.co...lite7736-.html>
So how did I get infected in the first place?

Safe surfing. :wavey:

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

#10 Piatan

SuperMember

Authentic Member
1,825 posts

Posted 27 March 2006 - 08:21 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Body Background

skin color theme