Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Mirar Removal


  • This topic is locked This topic is locked
14 replies to this topic

#1 jGrindle36

jGrindle36

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 12 May 2006 - 10:04 PM

The other day my computer went crazy and now mirar is invading my computer. Here's my hijackthis-

Logfile of HijackThis v1.99.1
Scan saved at 11:58:54 AM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\defender1.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1140457788\ee\aim6.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\common files\aol\1140457788\ee\aexplore.exe
c:\program files\common files\aol\1140457788\ee\aexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Justin Grindle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R3 - Default URLSearchHook is missing
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmnusd.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [D-Link AirPremier Utility] C:\Program Files\D-Link\AirPremier Utility\D-Link\AirPremier Utility\AirPMCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [defender] C:\\defender1.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [w02e77a1.dll] RUNDLL32.EXE w02e77a1.dll,I2 000cce45002e77a1
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VSL04.exe] C:\WINDOWS\system32\VSL04.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [wallpap.exe] C:\WINDOWS\system32\wallpap.exe
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

please help me get this carp** off!

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 13 May 2006 - 06:39 AM

Hello jGrindle36 and Welcome to TomCoyote,

STEP 1.
======
Please set your system to show all files; please see here if you're unsure how to do this.

Please download LSPFix from : here.

Disconnect from the Internet and close all Internet Explorer and Explorer Windows.
Run LSPfix and place a check against the I know what I am doing checkbox.
Highlight every instance of the following names and move them from the Keep to the Remove panel.
Be sure to move nothing other than the files with webhancer listed
010 - hijacked internet access by webhancer
When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

Scan with HijackThis. Place a check against each of the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R3 - Default URLSearchHook is missing
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmnusd.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [defender] C:\\defender1.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKCU\..\Run: [VSL04.exe] C:\WINDOWS\system32\VSL04.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [wallpap.exe] C:\WINDOWS\system32\wallpap.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab

Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\defender1.exe<==file
C:\WINDOWS\pop06ap2.exe<==file
C:\WINDOWS\system32\irsmnusd.dll<==file
C:\defender1.exe<==file
C:\Program Files\webHancer\<==folder
C:\WINDOWS\system32\VSL04.exe<==file
C:\WINDOWS\system32\irssyncd.exe<==file
C:\WINDOWS\system32\wallpap.exe<==file
Exit Explorer, and reboot as normal afterwards.



STEP 2.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here
  • Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so.
    (This may take several minutes)
  • Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
  • Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
  • When the sweep has finished, click Remove. Click Select All and then Next
  • From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
  • Exit Spy Sweeper.

STEP 3.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Empty Recycle Bin
Reboot

Please post the results from SpySweeper, ewido and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 jGrindle36

jGrindle36

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 13 May 2006 - 10:07 AM

Ok i did all the steps. Everything seems to be working fine now. When i load windows i get an error "Error loading w02e77a1.dll . The specified module could not be found." I dont know what this is but it just started popping up. Here are my results-

Logfile of HijackThis v1.99.1
Scan saved at 12:07:34 AM, on 5/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\thiselt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ms060140161733.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\common files\aol\1140457788\ee\aim6.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Justin Grindle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mpxlrkl.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [D-Link AirPremier Utility] C:\Program Files\D-Link\AirPremier Utility\D-Link\AirPremier Utility\AirPMCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [w02e77a1.dll] RUNDLL32.EXE w02e77a1.dll,I2 000cce45002e77a1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ms060140161733] C:\WINDOWS\ms060140161733.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Spy Sweeper-

********
11:11 PM: | Start of Session, Saturday, May 13, 2006 |
11:11 PM: Spy Sweeper started
11:11 PM: Sweep initiated using definitions version 677
11:11 PM: Found Adware: internetoptimizer
11:11 PM: HKLM\software\avenue media\internet optimizer\browser helper\ || modulefilename (ID = 1187895)
11:11 PM: nem220.dll (ID = 1187895)
11:11 PM: Starting Memory Sweep
11:11 PM: Found Adware: webhancer
11:11 PM: Detected running threat: C:\WINDOWS\webhdll.dll (ID = 83813)
11:12 PM: Found Adware: clkoptimizer
11:12 PM: Detected running threat: C:\WINDOWS\system32\cuqih.exe (ID = 268934)
11:12 PM: Detected running threat: C:\WINDOWS\system32\llaehf.exe (ID = 268995)
11:12 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || kceuhd (ID = 0)
11:12 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run || hykwi (ID = 0)
11:12 PM: Detected running threat: C:\WINDOWS\system32\cuqih.exe (ID = 268934)
11:12 PM: Detected running threat: C:\WINDOWS\system32\cuqih.exe (ID = 268934)
11:13 PM: Found Trojan Horse: trojan-downloader-ac2
11:13 PM: Detected running threat: C:\WINDOWS\system32\w02e77a1.dll (ID = 276222)
11:13 PM: Memory Sweep Complete, Elapsed Time: 00:02:20
11:13 PM: Starting Registry Sweep
11:13 PM: HKCR\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}\ (11 subtraces) (ID = 128881)
11:13 PM: HKLM\software\avenue media\ (27 subtraces) (ID = 128888)
11:13 PM: HKLM\software\classes\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}\ (11 subtraces) (ID = 128892)
11:13 PM: HKLM\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 128912)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\internet optimizer\ (2 subtraces) (ID = 128921)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\kapabout\ (2 subtraces) (ID = 128924)
11:13 PM: HKLM\software\policies\avenue media\ (ID = 128929)
11:13 PM: Found Adware: mirar webband
11:13 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135063)
11:13 PM: HKCR\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135066)
11:13 PM: HKCR\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135069)
11:13 PM: HKCR\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135070)
11:13 PM: HKCR\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135071)
11:13 PM: HKCR\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135072)
11:13 PM: HKLM\software\classes\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135079)
11:13 PM: HKLM\software\classes\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135082)
11:13 PM: HKLM\software\classes\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135083)
11:13 PM: HKLM\software\classes\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135084)
11:13 PM: HKLM\software\classes\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135085)
11:13 PM: HKLM\software\classes\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135092)
11:13 PM: HKCR\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135121)
11:13 PM: HKCR\dyfuca_bh.bhobj.1\ (3 subtraces) (ID = 135175)
11:13 PM: HKCR\dyfuca_bh.bhobj\ (5 subtraces) (ID = 135176)
11:13 PM: HKLM\software\classes\dyfuca_bh.bhobj\ (5 subtraces) (ID = 135194)
11:13 PM: HKLM\software\classes\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\ (9 subtraces) (ID = 135201)
11:13 PM: HKCR\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\ (9 subtraces) (ID = 135217)
11:13 PM: Found Adware: elitemediagroup-mediamotor
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\media-motor\ (2 subtraces) (ID = 140208)
11:13 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
11:13 PM: HKCR\clsid\{c900b400-cdfe-11d3-976a-00e02913a9e0}\ (9 subtraces) (ID = 146268)
11:13 PM: HKCR\interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0}\ (8 subtraces) (ID = 146269)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\webhancer agent\ (3 subtraces) (ID = 146274)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\whsurvey\ (3 subtraces) (ID = 146275)
11:13 PM: HKCR\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0}\ (9 subtraces) (ID = 146279)
11:13 PM: HKCR\whiehelperobj.whiehelperobj.1\ (3 subtraces) (ID = 146280)
11:13 PM: HKCR\whiehelperobj.whiehelperobj\ (3 subtraces) (ID = 146281)
11:13 PM: HKLM\software\avenue media\internet optimizer\ (26 subtraces) (ID = 394594)
11:13 PM: Found Adware: findthewebsiteyouneed hijack
11:13 PM: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
11:13 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
11:13 PM: HKLM\software\qstat\ || brr (ID = 877670)
11:13 PM: Found Adware: command
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
11:13 PM: Found Adware: dollarrevenue
11:13 PM: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
11:13 PM: Found Adware: enbrowser
11:13 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
11:13 PM: HKLM\system\currentcontrolset\services\cmdservice\ (13 subtraces) (ID = 958670)
11:13 PM: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
11:13 PM: HKLM\software\classes\whiehelperobj.whiehelperobj\ (3 subtraces) (ID = 972216)
11:13 PM: HKLM\software\classes\whiehelperobj.whiehelperobj.1\ (3 subtraces) (ID = 972220)
11:13 PM: HKLM\software\classes\clsid\{c900b400-cdfe-11d3-976a-00e02913a9e0}\ (9 subtraces) (ID = 972225)
11:13 PM: HKLM\software\classes\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0}\ (9 subtraces) (ID = 972236)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\webnexus\ (2 subtraces) (ID = 1006191)
11:13 PM: Found Adware: elitemediagroup-pop64
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\elitemediagroup\ (2 subtraces) (ID = 1015939)
11:13 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
11:13 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
11:13 PM: HKLM\software\microsoft\windows\currentversion\run\ || themonitor (ID = 1028873)
11:13 PM: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
11:13 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\winats.dll (ID = 1055333)
11:13 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/winats.dll\ (2 subtraces) (ID = 1066860)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
11:13 PM: Found Adware: safesearch
11:13 PM: HKCR\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1160022)
11:13 PM: HKCR\iman.riemon\ (5 subtraces) (ID = 1160080)
11:13 PM: HKCR\iman.riemon.1\ (3 subtraces) (ID = 1160086)
11:13 PM: HKLM\software\microsoft\windows\currentversion\app paths\irism\ (2 subtraces) (ID = 1160093)
11:13 PM: HKLM\software\microsoft\windows\currentversion\app paths\irssyncd\ (2 subtraces) (ID = 1160096)
11:13 PM: HKLM\software\irismon\ (14 subtraces) (ID = 1165615)
11:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\irismon\ (2 subtraces) (ID = 1165617)
11:13 PM: HKLM\software\classes\iman.riemon\ (5 subtraces) (ID = 1165636)
11:13 PM: HKLM\software\classes\iman.riemon.1\ (3 subtraces) (ID = 1165642)
11:13 PM: HKLM\software\classes\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1165660)
11:13 PM: Found Adware: ezula ilookup
11:13 PM: HKCR\da.bomb\ (5 subtraces) (ID = 1221354)
11:13 PM: HKCR\da.bomb.1\ (3 subtraces) (ID = 1221359)
11:13 PM: HKCR\onone.theimp\ (5 subtraces) (ID = 1221362)
11:13 PM: HKCR\onone.theimp.1\ (3 subtraces) (ID = 1221367)
11:13 PM: HKCR\clsid\{23fb5add-da37-4a40-9fc0-b0e2384cde92}\ (11 subtraces) (ID = 1221402)
11:13 PM: HKCR\clsid\{ed5d884b-1a35-482e-bea1-dd52f75b6138}\ (11 subtraces) (ID = 1221449)
11:13 PM: HKCR\typelib\{230290d9-946f-4276-9a91-ce2a2f376b9e}\ (9 subtraces) (ID = 1221495)
11:13 PM: HKLM\software\classes\da.bomb\ (5 subtraces) (ID = 1221507)
11:13 PM: HKLM\software\classes\da.bomb.1\ (3 subtraces) (ID = 1221512)
11:13 PM: HKLM\software\classes\onone.theimp\ (5 subtraces) (ID = 1221515)
11:13 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{23fb5add-da37-4a40-9fc0-b0e2384cde92}\ (ID = 1221519)
11:13 PM: HKLM\software\classes\onone.theimp.1\ (3 subtraces) (ID = 1221523)
11:13 PM: HKLM\software\classes\clsid\{23fb5add-da37-4a40-9fc0-b0e2384cde92}\ (11 subtraces) (ID = 1221558)
11:13 PM: HKLM\software\classes\clsid\{ed5d884b-1a35-482e-bea1-dd52f75b6138}\ (11 subtraces) (ID = 1221605)
11:13 PM: HKLM\software\classes\typelib\{230290d9-946f-4276-9a91-ce2a2f376b9e}\ (9 subtraces) (ID = 1221651)
11:13 PM: HKCR\mm06ocx.mm06ocxf\ (3 subtraces) (ID = 1323762)
11:13 PM: HKCR\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (27 subtraces) (ID = 1323770)
11:13 PM: HKCR\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (9 subtraces) (ID = 1323794)
11:13 PM: HKLM\software\classes\mm06ocx.mm06ocxf\ (3 subtraces) (ID = 1323810)
11:13 PM: HKLM\software\classes\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (27 subtraces) (ID = 1323818)
11:13 PM: HKLM\software\classes\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (9 subtraces) (ID = 1323842)
11:13 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\software\avenue media\ (ID = 128887)
11:13 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\software\policies\avenue media\ (ID = 128928)
11:13 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
11:13 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
11:13 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 654042)
11:13 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\software\system\sysuid\ (1 subtraces) (ID = 731748)
11:13 PM: Found Adware: zquest
11:13 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
11:13 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
11:13 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
11:13 PM: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
11:13 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
11:13 PM: HKU\S-1-5-18\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
11:13 PM: Registry Sweep Complete, Elapsed Time:00:00:06
11:13 PM: Starting Cookie Sweep
11:13 PM: Found Spy Cookie: 2o7.net cookie
11:13 PM: justin grindle@2o7[2].txt (ID = 1957)
11:13 PM: Found Spy Cookie: 80503492 cookie
11:13 PM: justin grindle@80503492[1].txt (ID = 2013)
11:13 PM: Found Spy Cookie: 888 cookie
11:13 PM: justin grindle@888[1].txt (ID = 2019)
11:13 PM: Found Spy Cookie: yieldmanager cookie
11:13 PM: justin grindle@ad.yieldmanager[2].txt (ID = 3751)
11:13 PM: Found Spy Cookie: adecn cookie
11:13 PM: justin grindle@adecn[1].txt (ID = 2063)
11:13 PM: Found Spy Cookie: adknowledge cookie
11:13 PM: justin grindle@adknowledge[2].txt (ID = 2072)
11:13 PM: Found Spy Cookie: adlegend cookie
11:13 PM: justin grindle@adlegend[1].txt (ID = 2074)
11:13 PM: Found Spy Cookie: hbmediapro cookie
11:13 PM: justin grindle@adopt.hbmediapro[2].txt (ID = 2768)
11:13 PM: Found Spy Cookie: advertising cookie
11:13 PM: justin grindle@advertising[1].txt (ID = 2175)
11:13 PM: Found Spy Cookie: tacoda cookie
11:13 PM: justin grindle@anat.tacoda[2].txt (ID = 6445)
11:13 PM: Found Spy Cookie: atwola cookie
11:13 PM: justin grindle@ar.atwola[1].txt (ID = 2256)
11:13 PM: Found Spy Cookie: falkag cookie
11:13 PM: justin grindle@as-eu.falkag[2].txt (ID = 2650)
11:13 PM: justin grindle@as-us.falkag[1].txt (ID = 2650)
11:13 PM: Found Spy Cookie: ask cookie
11:13 PM: justin grindle@ask[1].txt (ID = 2245)
11:13 PM: Found Spy Cookie: atlas dmt cookie
11:13 PM: justin grindle@atdmt[2].txt (ID = 2253)
11:13 PM: justin grindle@atwola[1].txt (ID = 2255)
11:13 PM: Found Spy Cookie: searchingbooth cookie
11:13 PM: justin grindle@banners.searchingbooth[1].txt (ID = 3322)
11:13 PM: Found Spy Cookie: belnk cookie
11:13 PM: justin grindle@belnk[1].txt (ID = 2292)
11:13 PM: Found Spy Cookie: bluestreak cookie
11:13 PM: justin grindle@bluestreak[2].txt (ID = 2314)
11:13 PM: Found Spy Cookie: enhance cookie
11:13 PM: justin grindle@c.enhance[1].txt (ID = 2614)
11:13 PM: Found Spy Cookie: goclick cookie
11:13 PM: justin grindle@c.goclick[1].txt (ID = 2733)
11:13 PM: Found Spy Cookie: zedo cookie
11:13 PM: justin grindle@c5.zedo[1].txt (ID = 3763)
11:13 PM: Found Spy Cookie: casalemedia cookie
11:13 PM: justin grindle@casalemedia[2].txt (ID = 2354)
11:13 PM: Found Spy Cookie: cassava cookie
11:13 PM: justin grindle@cassava[1].txt (ID = 2362)
11:13 PM: Found Spy Cookie: overture cookie
11:13 PM: justin grindle@data2.perf.overture[1].txt (ID = 3106)
11:13 PM: Found Spy Cookie: directtrack cookie
11:13 PM: justin grindle@directtrack[1].txt (ID = 2527)
11:13 PM: justin grindle@dist.belnk[2].txt (ID = 2293)
11:13 PM: Found Spy Cookie: exitexchange cookie
11:13 PM: justin grindle@exitexchange[2].txt (ID = 2633)
11:13 PM: Found Spy Cookie: fastclick cookie
11:13 PM: justin grindle@fastclick[1].txt (ID = 2651)
11:13 PM: Found Spy Cookie: findwhat cookie
11:13 PM: justin grindle@findwhat[1].txt (ID = 2674)
11:13 PM: Found Spy Cookie: go.com cookie
11:13 PM: justin grindle@go[2].txt (ID = 2728)
11:13 PM: Found Spy Cookie: starware.com cookie
11:13 PM: justin grindle@h.starware[1].txt (ID = 3442)
11:13 PM: Found Spy Cookie: clickandtrack cookie
11:13 PM: justin grindle@hits.clickandtrack[2].txt (ID = 2397)
11:13 PM: Found Spy Cookie: maxserving cookie
11:13 PM: justin grindle@maxserving[2].txt (ID = 2966)
11:13 PM: Found Spy Cookie: top-banners cookie
11:13 PM: justin grindle@media.top-banners[2].txt (ID = 3548)
11:13 PM: Found Spy Cookie: mediaplex cookie
11:13 PM: justin grindle@mediaplex[1].txt (ID = 6442)
11:13 PM: justin grindle@movies.go[1].txt (ID = 2729)
11:13 PM: justin grindle@msnportal.112.2o7[1].txt (ID = 1958)
11:13 PM: Found Spy Cookie: offeroptimizer cookie
11:13 PM: justin grindle@offeroptimizer[2].txt (ID = 3087)
11:13 PM: justin grindle@overture[1].txt (ID = 3105)
11:13 PM: justin grindle@partygaming.122.2o7[1].txt (ID = 1958)
11:13 PM: Found Spy Cookie: partypoker cookie
11:13 PM: justin grindle@partypoker[2].txt (ID = 3111)
11:13 PM: justin grindle@perf.overture[2].txt (ID = 3106)
11:13 PM: Found Spy Cookie: popuptraffic cookie
11:13 PM: justin grindle@popuptraffic[2].txt (ID = 3163)
11:13 PM: Found Spy Cookie: questionmarket cookie
11:13 PM: justin grindle@questionmarket[2].txt (ID = 3217)
11:13 PM: Found Spy Cookie: realmedia cookie
11:13 PM: justin grindle@realmedia[2].txt (ID = 3235)
11:13 PM: justin grindle@revenuegateway.directtrack[2].txt (ID = 2528)
11:13 PM: Found Spy Cookie: revenue.net cookie
11:13 PM: justin grindle@revenue[2].txt (ID = 3257)
11:13 PM: Found Spy Cookie: server.iad.liveperson cookie
11:13 PM: justin grindle@server.iad.liveperson[1].txt (ID = 3341)
11:13 PM: justin grindle@tacoda[1].txt (ID = 6444)
11:13 PM: Found Spy Cookie: targetnet cookie
11:13 PM: justin grindle@targetnet[1].txt (ID = 3489)
11:13 PM: Found Spy Cookie: trafficmp cookie
11:13 PM: justin grindle@trafficmp[1].txt (ID = 3581)
11:13 PM: Found Spy Cookie: tribalfusion cookie
11:13 PM: justin grindle@tribalfusion[2].txt (ID = 3589)
11:13 PM: justin grindle@try.starware[1].txt (ID = 3442)
11:13 PM: justin grindle@yieldmanager[2].txt (ID = 3749)
11:13 PM: justin grindle@zedo[2].txt (ID = 3762)
11:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
11:13 PM: Starting File Sweep
11:13 PM: c:\program files\whinstall (11 subtraces) (ID = -2147480064)
11:13 PM: c:\program files\webhancer (8 subtraces) (ID = -2147476841)
11:13 PM: c:\program files\network monitor (1 subtraces) (ID = -2147459771)
11:13 PM: c:\program files\internet optimizer (1 subtraces) (ID = -2147480830)
11:14 PM: Found Adware: deskwizz
11:14 PM: wallpap[1].exe (ID = 240959)
11:15 PM: wallpap[1].exe (ID = 240959)
11:15 PM: license.txt (ID = 83802)
11:15 PM: justin2a[1].exe (ID = 279493)
11:15 PM: wallpap.exe (ID = 240959)
11:15 PM: justin2a.exe (ID = 279493)
11:15 PM: installer_2512[1].exe (ID = 277894)
11:15 PM: mte3ndi6odoxng[1].exe (ID = 185985)
11:15 PM: license.txt (ID = 83802)
11:16 PM: idlemg[1].exe (ID = 235944)
11:16 PM: idlemg.exe (ID = 235944)
11:16 PM: b2search_v17.exe (ID = 188142)
11:16 PM: Found Adware: zenosearchassistant
11:16 PM: zifi002[1].exe (ID = 235993)
11:16 PM: zifi002.exe (ID = 235993)
11:16 PM: Found Adware: purityscan
11:16 PM: yoinsi[1].exe (ID = 213483)
11:16 PM: yoinsi.exe (ID = 213483)
11:16 PM: Found Adware: surfsidekick
11:16 PM: ss1205[1].exe (ID = 278244)
11:16 PM: ss1205.exe (ID = 278244)
11:16 PM: readme.txt (ID = 83804)
11:16 PM: readme.txt (ID = 83804)
11:16 PM: mit84.tmp (ID = 133197)
11:17 PM: Found Adware: look2me
11:17 PM: installer[1].exe (ID = 168558)
11:17 PM: webhdll.dll (ID = 83813)
11:17 PM: sos.i.exe (ID = 246713)
11:18 PM: uninstall_nmon.vbs (ID = 231442)
11:18 PM: wallpap[1].exe (ID = 240959)
11:18 PM: keyboard18.exe (ID = 293397)
11:19 PM: mpxlrkl.exe (ID = 268932)
11:19 PM: cuqih.exe (ID = 268934)
11:20 PM: nem220.dll (ID = 64043)
11:21 PM: mte3ndi6odoxng.exe (ID = 185985)
11:21 PM: webhdll.dll (ID = 83813)
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:22 PM: w0067dbe.dll (ID = 276222)
11:22 PM: optimize.exe (ID = 288489)
11:22 PM: optimize.exe (ID = 288489)
11:23 PM: mit84.tmp.cab (ID = 133197)
11:23 PM: w02e77a1.dll (ID = 276222)
11:24 PM: netmon.exe (ID = 231443)
11:25 PM: irismon.dll (ID = 246191)
11:25 PM: whiehlpr.dll (ID = 83838)
11:25 PM: unirimon.exe (ID = 246195)
11:25 PM: llaehf.exe (ID = 268995)
11:25 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || kceuhd (ID = 0)
11:25 PM: HKU\S-1-5-21-1715567821-606747145-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run || hykwi (ID = 0)
11:26 PM: installer_2512.exe (ID = 277894)
11:26 PM: whinstaller.exe (ID = 83844)
11:26 PM: j84o0ih3e84.dll (ID = 163672)
11:26 PM: backup-20060513-223415-742.dll (ID = 246679)
11:26 PM: chadch.exe (ID = 288265)
11:26 PM: dslfn.exe (ID = 268995)
11:26 PM: o4660ejseho60.dll (ID = 159)
11:26 PM: whinstaller.exe (ID = 83844)
11:26 PM: unwn.exe (ID = 268798)
11:26 PM: installer[1].exe (ID = 231664)
11:26 PM: unstall.exe (ID = 133210)
11:26 PM: mirar.exe (ID = 272168)
11:26 PM: qiohs.dat (ID = 268995)
11:26 PM: wallpap.exe (ID = 240959)
11:26 PM: whsurvey.exe (ID = 83849)
11:26 PM: ac2_0009.exe (ID = 273770)
11:26 PM: l06o0aj3edo.dll (ID = 163672)
11:26 PM: command.exe (ID = 144946)
11:26 PM: backup-20060513-223416-227.dll (ID = 208226)
11:27 PM: whinstaller.ini (ID = 83848)
11:27 PM: whagent.inf (ID = 83821)
11:27 PM: whagent.inf (ID = 83821)
11:27 PM: dmonwv.dll (ID = 268799)
11:27 PM: irsmnusd.dll (ID = 246679)
11:27 PM: csc.dll (ID = 163672)
11:27 PM: whcc-giant.exe (ID = 83829)
11:28 PM: whsurvey.exe (ID = 83849)
11:28 PM: dmvvox.dll (ID = 163672)
11:29 PM: nscad.dll (ID = 180772)
11:29 PM: backup-20060513-223415-458.dll (ID = 233175)
11:29 PM: whagent.exe (ID = 83816)
11:29 PM: whagent.exe (ID = 83816)
11:29 PM: guard.tmp (ID = 159)
11:29 PM: asappsrv.dll (ID = 144945)
11:31 PM: whiehlpr.dll (ID = 83838)
11:31 PM: whagent.ini (ID = 83825)
11:31 PM: whagent.ini (ID = 83825)
11:31 PM: whinstaller.ini (ID = 83848)
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:31 PM: backup-20060513-223415-458.inf (ID = 233153)
11:31 PM: backup-20060513-223416-227.inf (ID = 208224)
11:31 PM: mbpwx35rkhxvuqc4v3o.vbs (ID = 185675)
11:32 PM: File Sweep Complete, Elapsed Time: 00:18:09
11:32 PM: Full Sweep has completed. Elapsed time 00:20:40
11:32 PM: Traces Found: 829
11:33 PM: Removal process initiated
11:33 PM: Quarantining All Traces: clkoptimizer
11:33 PM: clkoptimizer is in use. It will be removed on reboot.
11:33 PM: cuqih.exe is in use. It will be removed on reboot.
11:33 PM: llaehf.exe is in use. It will be removed on reboot.
11:33 PM: dslfn.exe is in use. It will be removed on reboot.
11:33 PM: C:\WINDOWS\system32\cuqih.exe is in use. It will be removed on reboot.
11:33 PM: C:\WINDOWS\system32\llaehf.exe is in use. It will be removed on reboot.
11:33 PM: C:\WINDOWS\system32\cuqih.exe is in use. It will be removed on reboot.
11:33 PM: C:\WINDOWS\system32\cuqih.exe is in use. It will be removed on reboot.
11:33 PM: Quarantining All Traces: look2me
11:33 PM: Quarantining All Traces: purityscan
11:33 PM: Quarantining All Traces: dollarrevenue
11:33 PM: Quarantining All Traces: elitemediagroup-mediamotor
11:33 PM: Quarantining All Traces: enbrowser
11:33 PM: Quarantining All Traces: internetoptimizer
11:33 PM: internetoptimizer is in use. It will be removed on reboot.
11:33 PM: nem220.dll is in use. It will be removed on reboot.
11:33 PM: Quarantining All Traces: safesearch
11:33 PM: Quarantining All Traces: surfsidekick
11:33 PM: Quarantining All Traces: trojan-downloader-ac2
11:33 PM: trojan-downloader-ac2 is in use. It will be removed on reboot.
11:33 PM: w02e77a1.dll is in use. It will be removed on reboot.
11:33 PM: Quarantining All Traces: zquest
11:33 PM: Quarantining All Traces: command
11:33 PM: Quarantining All Traces: deskwizz
11:33 PM: Quarantining All Traces: elitemediagroup-pop64
11:33 PM: Quarantining All Traces: ezula ilookup
11:33 PM: Quarantining All Traces: findthewebsiteyouneed hijack
11:33 PM: Quarantining All Traces: mirar webband
11:33 PM: Quarantining All Traces: webhancer
11:33 PM: webhancer is in use. It will be removed on reboot.
11:33 PM: webhdll.dll is in use. It will be removed on reboot.
11:33 PM: C:\WINDOWS\webhdll.dll is in use. It will be removed on reboot.
11:33 PM: Quarantining All Traces: zenosearchassistant
11:33 PM: Quarantining All Traces: 2o7.net cookie
11:33 PM: Quarantining All Traces: 80503492 cookie
11:33 PM: Quarantining All Traces: 888 cookie
11:33 PM: Quarantining All Traces: adecn cookie
11:33 PM: Quarantining All Traces: adknowledge cookie
11:33 PM: Quarantining All Traces: adlegend cookie
11:33 PM: Quarantining All Traces: advertising cookie
11:33 PM: Quarantining All Traces: ask cookie
11:33 PM: Quarantining All Traces: atlas dmt cookie
11:33 PM: Quarantining All Traces: atwola cookie
11:33 PM: Quarantining All Traces: belnk cookie
11:33 PM: Quarantining All Traces: bluestreak cookie
11:33 PM: Quarantining All Traces: casalemedia cookie
11:33 PM: Quarantining All Traces: cassava cookie
11:33 PM: Quarantining All Traces: clickandtrack cookie
11:33 PM: Quarantining All Traces: directtrack cookie
11:33 PM: Quarantining All Traces: enhance cookie
11:33 PM: Quarantining All Traces: exitexchange cookie
11:33 PM: Quarantining All Traces: falkag cookie
11:33 PM: Quarantining All Traces: fastclick cookie
11:33 PM: Quarantining All Traces: findwhat cookie
11:33 PM: Quarantining All Traces: go.com cookie
11:33 PM: Quarantining All Traces: goclick cookie
11:33 PM: Quarantining All Traces: hbmediapro cookie
11:33 PM: Quarantining All Traces: maxserving cookie
11:33 PM: Quarantining All Traces: mediaplex cookie
11:33 PM: Quarantining All Traces: offeroptimizer cookie
11:33 PM: Quarantining All Traces: overture cookie
11:33 PM: Quarantining All Traces: partypoker cookie
11:33 PM: Quarantining All Traces: popuptraffic cookie
11:33 PM: Quarantining All Traces: questionmarket cookie
11:33 PM: Quarantining All Traces: realmedia cookie
11:33 PM: Quarantining All Traces: revenue.net cookie
11:33 PM: Quarantining All Traces: searchingbooth cookie
11:33 PM: Quarantining All Traces: server.iad.liveperson cookie
11:33 PM: Quarantining All Traces: starware.com cookie
11:33 PM: Quarantining All Traces: tacoda cookie
11:33 PM: Quarantining All Traces: targetnet cookie
11:33 PM: Quarantining All Traces: top-banners cookie
11:33 PM: Quarantining All Traces: trafficmp cookie
11:33 PM: Quarantining All Traces: tribalfusion cookie
11:33 PM: Quarantining All Traces: yieldmanager cookie
11:33 PM: Quarantining All Traces: zedo cookie
11:35 PM: Removal process completed. Elapsed time 00:01:42
********
11:06 PM: | Start of Session, Saturday, May 13, 2006 |
11:06 PM: Spy Sweeper started
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
11:09 PM: Your spyware definitions have been updated.
11:10 PM: Spy Installation Shield: found: Adware: clkoptimizer, version 1.0.0.0 -- Execution Denied
11:10 PM: Spy Installation Shield: found: Adware: zenosearchassistant, version 1.0.0.0 -- Execution Denied
11:10 PM: IE Security Shield: found: C:\WINDOWS\THISELT.EXE -- IE Security modification denied
11:10 PM: Spy Installation Shield: found: Adware: purityscan, version 1.0.0.0 -- Execution Denied
11:10 PM: Spy Installation Shield: found: Adware: surfsidekick, version 1.0.0.0 -- Execution Denied
11:10 PM: Spy Installation Shield: found: Adware: command, version 1.0.0.0 -- Execution Denied
11:11 PM: | End of Session, Saturday, May 13, 2006 |


Ewido-

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:57:41 PM, 5/13/2006
+ Report-Checksum: 357BA8CD

+ Scan result:

HKU\S-1-5-21-1715567821-606747145-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{55BE9F0D-6CAF-4C3E-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@c5.zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@ehg-citrixonline.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Cookies\justin grindle@www5.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@banners.searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@ehg-aviatechllc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@popuptraffic[2].txt -> TrackingCookie.Popuptraffic : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@tahitiannoniintl.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@www5.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\Cookies\justin grindle@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\justin grindle@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup


::Report End

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 13 May 2006 - 10:56 AM

I am glad things have improved. Please do the following:

STEP 1.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\WINDOWS\thiselt.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

Please repeat for the following file:
C:\WINDOWS\ms060140161733.exe

STEP 2.
==============
Regscan

Please download RegScan.
Within RegScan.zip you will find the file regscan.vbs
You may have to allow this script to run or disable anti-spyware again in order for it to run.
A window will open titled RegFinder.vbs and you will see place to input search terms.
Please enter the search terms:
w02e77a1
After the search has completed a window titled Results.txt will open.
Please copy the results and post(reply) back.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 jGrindle36

jGrindle36

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 13 May 2006 - 11:19 AM

here are my results- File: thiselt.exe Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database) MD5 ec0590d49b53b51d24af35232d71a895 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found probably unknown NewHeur_PE (probable variant) Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing Service load: 0% 100% File: ms060140161733.exe Status: INFECTED/MALWARE MD5 d24b2ede86974f928c9c9f558933b76c Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found Win32:VB-MT AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found modification of BackDoor.Generic.987 F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found a variant of Win32/TrojanDownloader.VB.TF Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing Windows Registry Editor Version 5.00 ; Regscan.vbs Version: 1.2 by rand1038 ; 5/14/2006 1:20:07 AM ; Search Term(s) Used: "w02e77a1" ; 3 matches were found. ; The search took 19 seconds. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "w02e77a1.dll"="RUNDLL32.EXE w02e77a1.dll,I2 000cce45002e77a1" [HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Startup\id_16] "ValueName"="w02e77a1.dll" "Value"="RUNDLL32.EXE w02e77a1.dll,I2 000cce45002e77a1" i am also still getting like 2 popups every 5-10 min, its nothing cmpared to before but its still annoying

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 13 May 2006 - 11:40 AM

STEP 1.
======
Cleaning Files

Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Note: If you cannot seem to navigate to the Temp folder above , use the Search feature and search on C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp\*.*


Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 2.
======
DelDomains

Download this file to your desktop.
http://www.mvps.org/.../DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection


STEP 3.
======
Delete Files with Killbox

Download Pocket Killbox from http://www.downloads...org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\WINDOWS\thiselt.exe
C:\WINDOWS\ms060140161733.exe


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".
After all of the fixes are complete it is very important that you enable SpySweeper again.

Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following--if they still exist:
O4 - HKLM\..\Run: [w02e77a1.dll] RUNDLL32.EXE w02e77a1.dll,I2 000cce45002e77a1
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [ms060140161733] C:\WINDOWS\ms060140161733.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemed...s/mediaview.cab

Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

==========
Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information from Kapersky in your next post.

Please post (reply) with the Kapersky results and another hijackthis scan.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 jGrindle36

jGrindle36

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 13 May 2006 - 03:58 PM

ok here are the kaspersky results-

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 47894
Number of viruses found 18
Number of infected objects 129
Number of suspicious objects 0
Duration of the scan process 01:21:25

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Justin Grindle\Application Data\System Restore\VSL04.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\Documents and Settings\Justin Grindle\Application Data\System Restore\VSL04.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\Documents and Settings\Justin Grindle\Application Data\System Restore\VSL04.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Justin Grindle\Local Settings\Temp\VSL04.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\Documents and Settings\Justin Grindle\Local Settings\Temp\VSL04.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\Documents and Settings\Justin Grindle\Local Settings\Temp\VSL04.exe NSIS: infected - 2 skipped

C:\Program Files\Internet Explorer\medonuga.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP78\A0017922.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP78\A0019009.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP79\A0019930.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP79\A0019931.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP79\A0019936.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019973.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019975.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019978.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019978.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019978.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019979.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019981.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019992.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP80\A0019996.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP81\A0020001.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP81\A0020002.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP81\A0020012.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP81\A0020013.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP81\A0020013.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP81\A0020013.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP81\A0020015.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP82\A0020030.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP82\A0020031.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP82\A0020038.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP82\A0020039.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP82\A0020039.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP82\A0020039.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP82\A0020041.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020056.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020057.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020064.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020065.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020065.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020065.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020067.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020078.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP83\A0020080.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021035.exe Infected: Trojan-Downloader.Win32.VB.acn skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021037.exe Infected: Trojan-Downloader.Win32.VB.abj skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021038.exe Infected: Trojan-Downloader.Win32.Adload.bf skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021039.exe Infected: Trojan-Downloader.Win32.VB.acn skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021040.exe Infected: Trojan-Downloader.Win32.Adload.bi skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021041.exe Infected: Trojan-Downloader.Win32.Adload.bj skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021042.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021042.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021042.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021043.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021046.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021047.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021056.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021058.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021083.exe Infected: Trojan-Downloader.Win32.Small.cpu skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021112.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP85\A0021116.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021121.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021122.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021143.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021144.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021146.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021147.exe Infected: Trojan-Downloader.Win32.Small.cpu skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021219.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021222.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021223.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021224.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021224.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021224.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021225.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021225.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021225.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021233.exe Infected: Trojan-Downloader.Win32.VB.acn skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021234.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021235.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021239.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021240.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021250.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0021252.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0022251.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0022253.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0022268.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0022270.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0022287.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP86\A0022289.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022323.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022325.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022336.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022341.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022357.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022359.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022371.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022373.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022393.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022395.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022398.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022398.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022398.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022400.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022409.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022411.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022423.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022427.exe Infected: Trojan-Clicker.Win32.VB.ly skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022428.exe Infected: Trojan-Clicker.Win32.VB.ly skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022431.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022431.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022431.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022449.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022450.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022452.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022458.exe Infected: Trojan-Downloader.Win32.VB.abj skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022460.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022461.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022462.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022467.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022468.exe Infected: Trojan-Downloader.Win32.Small.cpu skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022469.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022503.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022504.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP87\A0022505.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\WINDOWS\CCZoop05.exe Infected: Trojan.Win32.VB.tg skipped

C:\WINDOWS\Downloaded Program Files\3631382D2D2D.exe Infected: Trojan-Downloader.Win32.Adload.bc skipped

C:\WINDOWS\newname18.exe Infected: Trojan-Downloader.Win32.VB.acn skipped

C:\WINDOWS\Taga96.exe/data0003 Infected: Trojan.Win32.VB.tg skipped

C:\WINDOWS\Taga96.exe NSIS: infected - 1 skipped

Scan process completed.


and here is the hijackthis-
Logfile of HijackThis v1.99.1
Scan saved at 6:01:05 AM, on 5/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Justin Grindle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mpxlrkl.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [D-Link AirPremier Utility] C:\Program Files\D-Link\AirPremier Utility\D-Link\AirPremier Utility\AirPMCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

the popups have completely stopped

#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 13 May 2006 - 06:43 PM

Good work! :) Things are improving. Let's work on those infected files that Kapersky found.

STEP 1.
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
STEP 2.
Scan with HijackThis. Place a check against each of the following:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mpxlrkl.exe
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

STEP 3.
======
Delete Files with Killbox

If you still have it – skip the download.
Download Pocket Killbox from http://www.downloads...org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Documents and Settings\Justin Grindle\Application Data\System Restore\VSL04.exe/data0004
C:\Documents and Settings\Justin Grindle\Application Data\System Restore\VSL04.exe/data0005
C:\Documents and Settings\Justin Grindle\Application Data\System Restore\VSL04.exe
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\VSL04.exe/data0004
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\VSL04.exe/data0005
C:\Documents and Settings\Justin Grindle\Local Settings\Temp\VSL04.exe
C:\Program Files\Internet Explorer\medonuga.dll
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\Downloaded Program Files\3631382D2D2D.exe
C:\WINDOWS\newname18.exe
C:\WINDOWS\Taga96.exe/data0003
C:\WINDOWS\Taga96.exe


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.

Run another Kapersky scan. Please post(reply) with the results from Kapersky and a fresh hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 jGrindle36

jGrindle36

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 13 May 2006 - 08:59 PM

kapersky results-

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 39505
Number of viruses found 5
Number of infected objects 20
Number of suspicious objects 0
Duration of the scan process 01:12:27

Infected Object Name Virus Name Last Action
C:\!KillBox\3631382D2D2D.exe Infected: Trojan-Downloader.Win32.Adload.bc skipped

C:\!KillBox\CCZoop05.exe Infected: Trojan.Win32.VB.tg skipped

C:\!KillBox\medonuga.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\!KillBox\newname18.exe Infected: Trojan-Downloader.Win32.VB.acn skipped

C:\!KillBox\Taga96.exe/data0003 Infected: Trojan.Win32.VB.tg skipped

C:\!KillBox\Taga96.exe NSIS: infected - 1 skipped

C:\!KillBox\VSL04.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\!KillBox\VSL04.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\!KillBox\VSL04.exe NSIS: infected - 2 skipped

C:\!KillBox\VSL04.exe( 1)/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\!KillBox\VSL04.exe( 1)/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\!KillBox\VSL04.exe( 1) NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP1\A0000003.exe/data0003 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP1\A0000003.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP1\A0000014.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP1\A0000014.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP1\A0000014.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP1\A0000015.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP1\A0000016.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{0BCA8DBD-A9FD-4079-BB43-A456176B61E4}\RP1\A0000017.exe Infected: Trojan-Downloader.Win32.VB.acn skipped

Scan process completed.


hijackthis-
Logfile of HijackThis v1.99.1
Scan saved at 11:02:12 AM, on 5/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1140457788\ee\aim6.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Justin Grindle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [D-Link AirPremier Utility] C:\Program Files\D-Link\AirPremier Utility\D-Link\AirPremier Utility\AirPMCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 14 May 2006 - 09:13 AM

You got rid of some of those infected files. Let's see if we can finish it up.

Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.


Delete Files and Folders
Please delete the following files/folders:
C:\!KillBox\<==folder
If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.

Empty your Recycle Bin and reboot.

System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
Please run Kapersky and post (reply) the results and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#11 jGrindle36

jGrindle36

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 14 May 2006 - 03:50 PM

The kaspersky scan reported the conputer clean

hijackthis-

Logfile of HijackThis v1.99.1
Scan saved at 5:52:54 AM, on 5/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\AlienGUIse\wbload.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Justin Grindle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140457788\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [D-Link AirPremier Utility] C:\Program Files\D-Link\AirPremier Utility\D-Link\AirPremier Utility\AirPMCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 16 May 2006 - 05:58 PM

Good Work! :) Your logs appear to be clean!

Please do the following:

STEP 1.
======
Cleanmgr
To clean temporary files:
  • Go > start > run and type cleanmgr and click OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.
STEP 2.( Windows XP only)
======
Prefetch Folder
Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder

STEP 3.
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

STEP 4.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  • Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • More info on how to prevent malware you can also find here (By Tony Klein)
    and here: http://wiki.castleco...nt_Re-infection
Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#13 jGrindle36

jGrindle36

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 16 May 2006 - 06:20 PM

Thank you very much for your time and effort. I really appreciate. Good luck in the future.

#14 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 16 May 2006 - 06:25 PM

Thank you! Good luck to you too! :)
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#15 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 22 May 2006 - 07:14 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users