Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Zeno Adware


  • This topic is locked This topic is locked
23 replies to this topic

#1 Christian

Christian

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 28 May 2006 - 08:23 PM

i have popups that just wont go away! I have used spybot s&d and adaware. Then I used ewido anti-malware in safe mode...this did not get rid of the problem. The popups are Zeno advertisements, popuptraffic.com, and I also have ads playing over my speakers! Can someone please help me?

Here is the ewido anti-malware log:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:49:18 PM, 5/28/2006
+ Report-Checksum: 1B67085B

+ Scan result:

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-4cc14802-7eefe361.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-4cc14802-7eefe361.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\HP_Owner\Application Data\АрpPatch\csrss.exe.tcf -> Downloader.PurityScan.cl : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Program Files\Mozilla Firefox\plugins\npzango.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll.tcf -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pkdsregm.exe -> Adware.ZenoSearch : Cleaned with backup
C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

Hero is a hijack-this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:19:24 PM, on 5/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\pwinlqez.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\webshots.scr
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06E37323-C8CD-2B3A-7492-48EBA6400B33} - C:\DOCUME~1\HP_Owner\APPLIC~1\blehfind\Cool Program.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Glue acid cool delete] C:\Documents and Settings\All Users\Application Data\ManagerMagsGlueAcid\Help platform.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinlqez.exe GID003
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [barbpoke] C:\DOCUME~1\HP_Owner\APPLIC~1\UPLOAD~1\linkfastcdrom.exe
O4 - HKCU\..\Run: [Dueslqh] C:\WINDOWS\system32\s?curity\arpa.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 29 May 2006 - 07:30 AM

Hello Christian and Welcome to TomCoyote,

Let's do the following please.

STEP 1.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.
Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Results from Spy Sweeper file, and Kapersky into this thread.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 Christian

Christian

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 29 May 2006 - 10:48 PM

ok...did all that...i still have some popups but there are less

Heres the spy sweeper log:
********
10:09 PM: | Start of Session, Monday, May 29, 2006 |
10:09 PM: Spy Sweeper started
10:09 PM: Sweep initiated using definitions version 686
10:09 PM: Starting Memory Sweep
10:10 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:10 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:14 PM: Memory Sweep Complete, Elapsed Time: 00:05:17
10:14 PM: Starting Registry Sweep
10:15 PM: Found Adware: zenosearchassistant
10:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\enhanced ads by zeno\ (2 subtraces) (ID = 147934)
10:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\zeno search assistant\ (2 subtraces) (ID = 147935)
10:15 PM: Found Adware: quicklink search toolbar
10:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
10:15 PM: Found Adware: command
10:15 PM: HKLM\system\currentcontrolset\services\cmdservice\ (5 subtraces) (ID = 958670)
10:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
10:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
10:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || browserupdatesched (ID = 1075246)
10:15 PM: Registry Sweep Complete, Elapsed Time:00:00:16
10:15 PM: Starting Cookie Sweep
10:15 PM: Found Spy Cookie: 2o7.net cookie
10:15 PM: hp_owner@2o7[2].txt (ID = 1957)
10:15 PM: Found Spy Cookie: 50881381 cookie
10:15 PM: hp_owner@50881381[1].txt (ID = 1981)
10:15 PM: Found Spy Cookie: 888 cookie
10:15 PM: hp_owner@888[1].txt (ID = 2019)
10:15 PM: Found Spy Cookie: websponsors cookie
10:15 PM: hp_owner@a.websponsors[2].txt (ID = 3665)
10:15 PM: Found Spy Cookie: yieldmanager cookie
10:15 PM: hp_owner@ad.yieldmanager[1].txt (ID = 3751)
10:15 PM: Found Spy Cookie: adecn cookie
10:15 PM: hp_owner@ad2.adecn[1].txt (ID = 2064)
10:15 PM: hp_owner@adecn[2].txt (ID = 2063)
10:15 PM: Found Spy Cookie: adknowledge cookie
10:15 PM: hp_owner@adknowledge[1].txt (ID = 2072)
10:15 PM: Found Spy Cookie: hbmediapro cookie
10:15 PM: hp_owner@adopt.hbmediapro[2].txt (ID = 2768)
10:15 PM: Found Spy Cookie: hotbar cookie
10:15 PM: hp_owner@adopt.hotbar[2].txt (ID = 4207)
10:15 PM: Found Spy Cookie: specificclick.com cookie
10:15 PM: hp_owner@adopt.specificclick[2].txt (ID = 3400)
10:15 PM: Found Spy Cookie: adprofile cookie
10:15 PM: hp_owner@adprofile[2].txt (ID = 2084)
10:15 PM: Found Spy Cookie: adrevolver cookie
10:15 PM: hp_owner@adrevolver[1].txt (ID = 2088)
10:15 PM: hp_owner@adrevolver[2].txt (ID = 2088)
10:15 PM: Found Spy Cookie: addynamix cookie
10:15 PM: hp_owner@ads.addynamix[1].txt (ID = 2062)
10:15 PM: Found Spy Cookie: pointroll cookie
10:15 PM: hp_owner@ads.pointroll[1].txt (ID = 3148)
10:15 PM: Found Spy Cookie: zenotecnico cookie
10:15 PM: hp_owner@ads.zenotecnico[1].txt (ID = 3859)
10:15 PM: Found Spy Cookie: revenue.net cookie
10:15 PM: hp_owner@ads1.revenue[2].txt (ID = 3258)
10:15 PM: Found Spy Cookie: adserver cookie
10:15 PM: hp_owner@adserver[1].txt (ID = 2141)
10:15 PM: Found Spy Cookie: tacoda cookie
10:15 PM: hp_owner@anat.tacoda[2].txt (ID = 6445)
10:15 PM: Found Spy Cookie: apmebf cookie
10:15 PM: hp_owner@apmebf[1].txt (ID = 2229)
10:15 PM: Found Spy Cookie: falkag cookie
10:15 PM: hp_owner@as-eu.falkag[2].txt (ID = 2650)
10:15 PM: hp_owner@as-us.falkag[2].txt (ID = 2650)
10:15 PM: Found Spy Cookie: ask cookie
10:15 PM: hp_owner@ask[1].txt (ID = 2245)
10:15 PM: Found Spy Cookie: azjmp cookie
10:15 PM: hp_owner@azjmp[2].txt (ID = 2270)
10:15 PM: Found Spy Cookie: searchingbooth cookie
10:15 PM: hp_owner@banners.searchingbooth[1].txt (ID = 3322)
10:15 PM: Found Spy Cookie: belnk cookie
10:15 PM: hp_owner@belnk[1].txt (ID = 2292)
10:15 PM: Found Spy Cookie: bluestreak cookie
10:15 PM: hp_owner@bluestreak[2].txt (ID = 2314)
10:15 PM: Found Spy Cookie: burstnet cookie
10:15 PM: hp_owner@burstnet[1].txt (ID = 2336)
10:15 PM: Found Spy Cookie: enhance cookie
10:15 PM: hp_owner@c.enhance[1].txt (ID = 2614)
10:15 PM: Found Spy Cookie: zedo cookie
10:15 PM: hp_owner@c5.zedo[2].txt (ID = 3763)
10:15 PM: Found Spy Cookie: cassava cookie
10:15 PM: hp_owner@cassava[1].txt (ID = 2362)
10:15 PM: Found Spy Cookie: overture cookie
10:15 PM: hp_owner@data1.perf.overture[1].txt (ID = 3106)
10:15 PM: hp_owner@data2.perf.overture[1].txt (ID = 3106)
10:15 PM: Found Spy Cookie: directtrack cookie
10:15 PM: hp_owner@directtrack[1].txt (ID = 2527)
10:15 PM: hp_owner@dist.belnk[1].txt (ID = 2293)
10:15 PM: Found Spy Cookie: ru4 cookie
10:15 PM: hp_owner@edge.ru4[1].txt (ID = 3269)
10:15 PM: Found Spy Cookie: exitexchange cookie
10:15 PM: hp_owner@exitexchange[2].txt (ID = 2633)
10:15 PM: Found Spy Cookie: fortunecity cookie
10:15 PM: hp_owner@fortunecity[1].txt (ID = 2686)
10:15 PM: hp_owner@freeze.directtrack[2].txt (ID = 2528)
10:15 PM: Found Spy Cookie: humanclick cookie
10:15 PM: hp_owner@hc2.humanclick[1].txt (ID = 2810)
10:15 PM: Found Spy Cookie: clickandtrack cookie
10:15 PM: hp_owner@hits.clickandtrack[2].txt (ID = 2397)
10:15 PM: Found Spy Cookie: screensavers.com cookie
10:15 PM: hp_owner@i.screensavers[2].txt (ID = 3298)
10:15 PM: Found Spy Cookie: maxserving cookie
10:15 PM: hp_owner@maxserving[2].txt (ID = 2966)
10:15 PM: Found Spy Cookie: top-banners cookie
10:15 PM: hp_owner@media.top-banners[1].txt (ID = 3548)
10:15 PM: Found Spy Cookie: mygeek cookie
10:15 PM: hp_owner@mygeek[1].txt (ID = 3041)
10:15 PM: Found Spy Cookie: realmedia cookie
10:15 PM: hp_owner@network.realmedia[2].txt (ID = 3236)
10:15 PM: hp_owner@overture[1].txt (ID = 3105)
10:15 PM: hp_owner@partygaming.122.2o7[1].txt (ID = 1958)
10:15 PM: Found Spy Cookie: partypoker cookie
10:15 PM: hp_owner@partypoker[1].txt (ID = 3111)
10:15 PM: hp_owner@perf.overture[1].txt (ID = 3106)
10:15 PM: Found Spy Cookie: tripod cookie
10:15 PM: hp_owner@pers0n99.tripod[1].txt (ID = 3592)
10:15 PM: Found Spy Cookie: popuptraffic cookie
10:15 PM: hp_owner@popuptraffic[1].txt (ID = 3163)
10:15 PM: Found Spy Cookie: pro-market cookie
10:15 PM: hp_owner@pro-market[2].txt (ID = 3197)
10:15 PM: Found Spy Cookie: qksrv cookie
10:15 PM: hp_owner@qksrv[1].txt (ID = 3213)
10:15 PM: Found Spy Cookie: questionmarket cookie
10:15 PM: hp_owner@questionmarket[2].txt (ID = 3217)
10:15 PM: hp_owner@realmedia[2].txt (ID = 3235)
10:15 PM: Found Spy Cookie: valuead cookie
10:15 PM: hp_owner@reduxads.valuead[1].txt (ID = 3627)
10:15 PM: hp_owner@revenue[2].txt (ID = 3257)
10:15 PM: Found Spy Cookie: adjuggler cookie
10:15 PM: hp_owner@rotator.adjuggler[2].txt (ID = 2071)
10:15 PM: Found Spy Cookie: server.iad.liveperson cookie
10:15 PM: hp_owner@server.iad.liveperson[1].txt (ID = 3341)
10:15 PM: Found Spy Cookie: serving-sys cookie
10:15 PM: hp_owner@serving-sys[2].txt (ID = 3343)
10:15 PM: Found Spy Cookie: statcounter cookie
10:15 PM: hp_owner@statcounter[2].txt (ID = 3447)
10:15 PM: Found Spy Cookie: reliablestats cookie
10:15 PM: hp_owner@stats1.reliablestats[1].txt (ID = 3254)
10:15 PM: hp_owner@tacoda[2].txt (ID = 6444)
10:15 PM: Found Spy Cookie: tradedoubler cookie
10:15 PM: hp_owner@tradedoubler[1].txt (ID = 3575)
10:15 PM: Found Spy Cookie: trafficmp cookie
10:15 PM: hp_owner@trafficmp[2].txt (ID = 3581)
10:15 PM: Found Spy Cookie: tribalfusion cookie
10:15 PM: hp_owner@tribalfusion[1].txt (ID = 3589)
10:15 PM: hp_owner@tripod[2].txt (ID = 3591)
10:15 PM: Found Spy Cookie: videodome cookie
10:15 PM: hp_owner@videodome[1].txt (ID = 3638)
10:15 PM: Found Spy Cookie: burstbeacon cookie
10:15 PM: hp_owner@www.burstbeacon[2].txt (ID = 2335)
10:15 PM: hp_owner@z1.adserver[1].txt (ID = 2142)
10:15 PM: hp_owner@zedo[2].txt (ID = 3762)
10:15 PM: hp_owner@zenotecnico[1].txt (ID = 3858)
10:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
10:15 PM: Starting File Sweep
10:15 PM: Found Trojan Horse: trojan downloader matcash
10:15 PM: c:\program files\common files\inetget (ID = -2147477182)
10:20 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:20 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:20 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:20 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:21 PM: nt68rrtc12.sys (ID = 220230)
10:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:23 PM: Found Adware: lopdotcom
10:23 PM: biasrefmath.exe (ID = 90)
10:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:35 PM: Found Adware: targetsaver
10:35 PM: class-barrel (ID = 78229)
10:36 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:36 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:37 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:37 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:38 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:38 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:38 PM: vocabulary (ID = 78283)
10:38 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:38 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:42 PM: Found Adware: enbrowser
10:42 PM: pf78.exe.tcf (ID = 244430)
10:48 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:48 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:51 PM: zeno.lnk (ID = 146127)
10:51 PM: zxdnt3d.cfg (ID = 91140)
10:51 PM: Found Adware: java byteverify
10:51 PM: gummy.class-78eafab3-55973863.class (ID = 64824)
10:51 PM: ke.vbs (ID = 185675)
10:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:55 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:55 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:55 PM: Found System Monitor: potentially rootkit-masked files
10:55 PM: g20060520_0846.trf (ID = 0)
10:55 PM: g20060409_1917.trf (ID = 0)
10:55 PM: g20060417_1740.trf (ID = 0)
10:55 PM: g20060422_1609.trf (ID = 0)
10:55 PM: g20060429_0134.trf (ID = 0)
10:55 PM: g20060504_0530.trf (ID = 0)
10:55 PM: g20060510_1522.trf (ID = 0)
10:55 PM: Warning: Unhandled Archive Type
10:55 PM: Warning: Unhandled Archive Type
10:56 PM: Warning: Invalid file - not a PKZip file
10:56 PM: Warning: Invalid Stream
10:56 PM: Warning: Invalid Stream
10:56 PM: Warning: Invalid Stream
10:56 PM: Warning: Invalid Stream
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: Warning: Invalid Stream
10:56 PM: Warning: Invalid Stream
10:56 PM: Warning: Invalid Stream
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: File Sweep Complete, Elapsed Time: 00:41:09
10:56 PM: Full Sweep has completed. Elapsed time 00:46:50
10:56 PM: Traces Found: 123
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:56 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
10:58 PM: The Spy Communication shield has blocked access to: paypopup.com
10:58 PM: The Spy Communication shield has blocked access to: paypopup.com
11:13 PM: Removal process initiated
11:13 PM: Quarantining All Traces: lopdotcom
11:13 PM: Quarantining All Traces: potentially rootkit-masked files
11:13 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
11:13 PM: g20060520_0846.trf is in use. It will be removed on reboot.
11:13 PM: g20060409_1917.trf is in use. It will be removed on reboot.
11:13 PM: g20060417_1740.trf is in use. It will be removed on reboot.
11:13 PM: g20060422_1609.trf is in use. It will be removed on reboot.
11:13 PM: g20060429_0134.trf is in use. It will be removed on reboot.
11:13 PM: g20060504_0530.trf is in use. It will be removed on reboot.
11:13 PM: g20060510_1522.trf is in use. It will be removed on reboot.
11:13 PM: Quarantining All Traces: trojan downloader matcash
11:13 PM: Quarantining All Traces: enbrowser
11:13 PM: Quarantining All Traces: quicklink search toolbar
11:13 PM: Quarantining All Traces: command
11:13 PM: Quarantining All Traces: java byteverify
11:13 PM: Quarantining All Traces: targetsaver
11:14 PM: Quarantining All Traces: zenosearchassistant
11:14 PM: Quarantining All Traces: 2o7.net cookie
11:14 PM: Quarantining All Traces: 50881381 cookie
11:14 PM: Quarantining All Traces: 888 cookie
11:14 PM: Quarantining All Traces: addynamix cookie
11:14 PM: Quarantining All Traces: adecn cookie
11:14 PM: Quarantining All Traces: adjuggler cookie
11:14 PM: Quarantining All Traces: adknowledge cookie
11:14 PM: Quarantining All Traces: adprofile cookie
11:14 PM: Quarantining All Traces: adrevolver cookie
11:14 PM: Quarantining All Traces: adserver cookie
11:14 PM: Quarantining All Traces: apmebf cookie
11:14 PM: Quarantining All Traces: ask cookie
11:14 PM: Quarantining All Traces: azjmp cookie
11:14 PM: Quarantining All Traces: belnk cookie
11:14 PM: Quarantining All Traces: bluestreak cookie
11:14 PM: Quarantining All Traces: burstbeacon cookie
11:14 PM: Quarantining All Traces: burstnet cookie
11:14 PM: Quarantining All Traces: cassava cookie
11:14 PM: Quarantining All Traces: clickandtrack cookie
11:14 PM: Quarantining All Traces: directtrack cookie
11:14 PM: Quarantining All Traces: enhance cookie
11:14 PM: Quarantining All Traces: exitexchange cookie
11:14 PM: Quarantining All Traces: falkag cookie
11:14 PM: Quarantining All Traces: fortunecity cookie
11:14 PM: Quarantining All Traces: hbmediapro cookie
11:14 PM: Quarantining All Traces: hotbar cookie
11:14 PM: Quarantining All Traces: humanclick cookie
11:14 PM: Quarantining All Traces: maxserving cookie
11:14 PM: Quarantining All Traces: mygeek cookie
11:14 PM: Quarantining All Traces: overture cookie
11:14 PM: Quarantining All Traces: partypoker cookie
11:14 PM: Quarantining All Traces: pointroll cookie
11:14 PM: Quarantining All Traces: popuptraffic cookie
11:14 PM: Quarantining All Traces: pro-market cookie
11:14 PM: Quarantining All Traces: qksrv cookie
11:14 PM: Quarantining All Traces: questionmarket cookie
11:14 PM: Quarantining All Traces: realmedia cookie
11:14 PM: Quarantining All Traces: reliablestats cookie
11:14 PM: Quarantining All Traces: revenue.net cookie
11:14 PM: Quarantining All Traces: ru4 cookie
11:14 PM: Quarantining All Traces: screensavers.com cookie
11:14 PM: Quarantining All Traces: searchingbooth cookie
11:14 PM: Quarantining All Traces: server.iad.liveperson cookie
11:14 PM: Quarantining All Traces: serving-sys cookie
11:14 PM: Quarantining All Traces: specificclick.com cookie
11:14 PM: Quarantining All Traces: statcounter cookie
11:14 PM: Quarantining All Traces: tacoda cookie
11:14 PM: Quarantining All Traces: top-banners cookie
11:14 PM: Quarantining All Traces: tradedoubler cookie
11:14 PM: Quarantining All Traces: trafficmp cookie
11:14 PM: Quarantining All Traces: tribalfusion cookie
11:14 PM: Quarantining All Traces: tripod cookie
11:14 PM: Quarantining All Traces: valuead cookie
11:14 PM: Quarantining All Traces: videodome cookie
11:14 PM: Quarantining All Traces: websponsors cookie
11:14 PM: Quarantining All Traces: yieldmanager cookie
11:14 PM: Quarantining All Traces: zedo cookie
11:14 PM: Quarantining All Traces: zenotecnico cookie
11:14 PM: Preparing to restart your computer. Please wait...
11:14 PM: Removal process completed. Elapsed time 00:00:56
********
10:08 PM: | Start of Session, Monday, May 29, 2006 |
10:08 PM: Spy Sweeper started
10:08 PM: Your spyware definitions have been updated.
10:09 PM: | End of Session, Monday, May 29, 2006 |

Heres the Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, May 30, 2006 12:41:37 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 30/05/2006
Kaspersky Anti-Virus database records: 185273
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
L:\

Scan Statistics:
Total number of scanned objects: 93728
Number of viruses found: 16
Number of infected objects: 30
Number of suspicious objects: 1
Duration of the scan process: 01:16:13

Infected Object Name / Virus Name / Last Action
C:\defender23.exe Infected: Trojan-Downloader.Win32.VB.adw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04EB5AF3.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0500086A.exe Infected: Trojan-Downloader.Win32.PurityScan.bg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\050A065F.cab/Quicklinks.exe/data0001 Infected: Trojan.Win32.Runner.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\050A065F.cab/Quicklinks.exe Infected: Trojan.Win32.Runner.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\050A065F.cab CAB: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\050A065F.cab CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0FC36D84.tmp Infected: Trojan-Downloader.Java.OpenConnection.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46CD54DC.tmp Infected: Trojan-Downloader.Java.OpenConnection.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46CD54DC.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46CD54DC.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46CD54DC.zip CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A042953.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4F496587.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\542F758E.exe Infected: Trojan.Win32.LowZones.cw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A7526A6.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A7526A6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A7526A6.zip CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FB064E4 Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A4E43CB.hta Infected: Trojan-Downloader.VBS.Psyme.at skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018306.exe Infected: Backdoor.Win32.VB.ary skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018307.exe Infected: Trojan-Downloader.Win32.VB.adw skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018314.exe Infected: Trojan-Downloader.Win32.Adload.bq skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018315.exe Infected: Trojan-Downloader.Win32.Adload.bt skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018326.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018629.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped

Scan process completed.


And the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:42:10 AM, on 5/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\TrojanHunter 4.5\IL.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06E37323-C8CD-2B3A-7492-48EBA6400B33} - C:\DOCUME~1\HP_Owner\APPLIC~1\blehfind\Cool Program.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Glue acid cool delete] C:\Documents and Settings\All Users\Application Data\ManagerMagsGlueAcid\Help platform.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [barbpoke] C:\DOCUME~1\HP_Owner\APPLIC~1\UPLOAD~1\linkfastcdrom.exe
O4 - HKCU\..\Run: [Dueslqh] C:\WINDOWS\system32\s?curity\arpa.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Thnks for ur help! :)

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 30 May 2006 - 07:00 AM

Good work Christian!

Let's go ahead and delete those files from Quarantine.
WARNING: Do not do this unless you are sure that you do not need the files that are in Quarantine. Files removed from Quarantine are not placed in the Recycle bin. Removing files from Quarantine will permanently delete the files from the computer.
________________________________________
Go to the section that describes your version of Norton AntiVirus and follow the steps.

To remove Norton AntiVirus 2006 files from Norton Quarantine and Restore
  • Start Norton AntiVirus.
  • If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program and click Norton AntiVirus.
  • In the left pane, click Reports.
  • Click View Norton Quarantined and Restore
  • In the left pane, select the type of risk that you want to remove.
  • In the right pane, select the files that you want to remove.
  • To select multiple items, press and hold down the Ctrl key while clicking the items that you want to select for deletion. To select everything in Quarantine, click the first item in the list, and then press Shift+End.
  • Click Delete Item.
  • When prompted "Warning! Are you sure that you want to remove this item from Quarantine," click Yes.
  • Close the Quarantine window, and then exit Norton AntiVirus.
Please show all files for your system.
You will need to reverse this process when all steps are done.


Delete on Reboot tool
  • Start Hijackthis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the button labeled Delete a file on reboot...
  • A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file C:\defender23.exe and click on it once, and then click on the Open button.
  • You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button
Empty your recycle bin.
Please run Kapersky again and post (reply) with the results along with a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 Christian

Christian

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 30 May 2006 - 12:43 PM

still have ads...lol

Kapersky Log:

Tuesday, May 30, 2006 2:35:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 30/05/2006
Kaspersky Anti-Virus database records: 185383


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
H:\
I:\
J:\
L:\

Scan Statistics
Total number of scanned objects 97584
Number of viruses found 12
Number of infected objects 18
Number of suspicious objects 0
Duration of the scan process 01:18:15

Infected Object Name Virus Name Last Action
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018306.exe Infected: Backdoor.Win32.VB.ary skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018307.exe Infected: Trojan-Downloader.Win32.VB.adw skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018314.exe Infected: Trojan-Downloader.Win32.Adload.bq skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018315.exe Infected: Trojan-Downloader.Win32.Adload.bt skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018326.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0003 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0007 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe NSIS: infected - 4 skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018629.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018670.exe Infected: Trojan-Downloader.Win32.Agent.am skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018671.exe Infected: Trojan-Downloader.Win32.PurityScan.bg skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018675.exe Infected: Trojan-Downloader.Win32.Adload.j skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018676.exe Infected: Trojan-Downloader.Win32.Adload.j skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018677.exe Infected: Trojan.Win32.LowZones.cw skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018678.hta Infected: Trojan-Downloader.VBS.Psyme.at skipped

C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018684.exe Infected: Trojan-Downloader.Win32.VB.adw skipped

Scan process completed.

HJT LOG:
Logfile of HijackThis v1.99.1
Scan saved at 2:38:53 PM, on 5/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Super DVD Creator 8.0\libavidd-1.3.2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\msvscc32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06E37323-C8CD-2B3A-7492-48EBA6400B33} - C:\DOCUME~1\HP_Owner\APPLIC~1\blehfind\Cool Program.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Glue acid cool delete] C:\Documents and Settings\All Users\Application Data\ManagerMagsGlueAcid\Help platform.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [barbpoke] C:\DOCUME~1\HP_Owner\APPLIC~1\UPLOAD~1\linkfastcdrom.exe
O4 - HKCU\..\Run: [Dueslqh] C:\WINDOWS\system32\s?curity\arpa.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Webvw32 - C:\WINDOWS\SYSTEM32\webvw32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 30 May 2006 - 04:01 PM

Hello Christian,

We will work on those pop-ups now.

Please set your system to show all files; please see here if you're unsure how to do this.

C:\DOCUME~1\HP_Owner\APPLIC~1\UPLOAD~1\linkfastcdrom.exe
I am not sure about the file linkfastcdrom.exe. It may be legitimate HP related file but I would like to check it out. If you know it is valid file, just let me know--otherwise let's submit it to Jotti. You may need to do a search on linkfastcdrom.exe to get the full path in order to locate it. The DOS path is listed up above with the ~ and cut-off names.


STEP 1.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
linkfastcdrom.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.


STEP 1.
======
FindLop

Download FindLop and unzip to one folder:
Inside the folder find findlop.bat
Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post.

Open Notepad, and copy/paste the codebox below into a new text file. Save it as "FindFolder.bat" on your Desktop. NOTE..you MUST use the quotes in the name you enter or else it will not be a valid batch file


dir C:\WINDOWS\system32\s?curity /a h > folders.txt
notepad folders.txt

Locate FindFolder.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

So I need the Jotti results (unless you know it is valid file), the C:\findlop.txt, and the text from FindFolder.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 Christian

Christian

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 30 May 2006 - 08:28 PM

ok...here are the results from all that... Jotti: File: linkfastcdrom.exe Status: INFECTED/MALWARE MD5 d7645a312e3a4db966af0a63e3fec2d4 Packers detected: PE_PATCH.UPC, UPC Scanner results AntiVir Found Heuristic/Crypted (probable variant) ArcaVir Found nothing Avast Found Win32:Swizzor-gen AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Lop.bc NOD32 Found a variant of Win32/TrojanDownloader.Swizzor Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing Findlop: [TRACE] Enumerating jobs and queues [TRACE] Activating job 'AB585151918FC7B9.job' [TRACE] Printing all job properties ApplicationName: 'c:\docume~1\hp_owner\applic~1\upload~1\BiasRefMath.exe' Parameters: '' WorkingDirectory: '' Comment: '' Creator: 'HP_Owner' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 05/29/2006 23:00:00 NextRun: 05/30/2006 23:00:00 StartError: 0x80070002 ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 1 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 10/17/1997 EndDate: 00/00/0000 StartTime: 00:00 MinutesDuration: 1440 MinutesInterval: 60 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 FindFolder: Volume in drive C is HP_PAVILION Volume Serial Number is 1C37-0926 Directory of C:\WINDOWS\system32 05/28/2006 11:10 AM <DIR> s?curity 0 File(s) 0 bytes Directory of C:\Documents and Settings\HP_Owner\Desktop

#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 31 May 2006 - 09:31 AM

Enable
'show all files'

Click on this link http://www.downloads...org/KillBox.zip to download TheKillbox by Option^Explicit. Extract it from the zip file, dont use it yet

open hijackthis, click do a system scan only
check the boxes next to these lines:
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\msvscc32.exe
O2 - BHO: (no name) - {06E37323-C8CD-2B3A-7492-48EBA6400B33} - C:\DOCUME~1\HP_Owner\APPLIC~1\blehfind\Cool Program.exe (file missing)
O4 - HKLM\..\Run: [Glue acid cool delete] C:\Documents and Settings\All Users\Application Data\ManagerMagsGlueAcid\Help platform.exe
O4 - HKCU\..\Run: [barbpoke] C:\DOCUME~1\HP_Owner\APPLIC~1\UPLOAD~1\linkfastcdrom.exe
O4 - HKCU\..\Run: [Dueslqh] C:\WINDOWS\system32\s?curity\arpa.exe
O20 - Winlogon Notify: Webvw32 - C:\WINDOWS\SYSTEM32\webvw32.dll

then close all browsers and explorer windows, until only hijackthis is running and click fix checked

locate and double-click on Killbox.exe to run it.

check the box delete on reboot
highlight the text in the box below, then press ctrl+c to copy it to clipboard
c:\windows\tasks\AB585151918FC7B9.job
C:\WINDOWS\SYSTEM32\webvw32.dll
C:\WINDOWS\system32\msvscc32.exe
C:\Documents and Settings\All Users\Application Data\ManagerMagsGlueAcid\Help platform.exe
then go back to killbox, click file> paste from clipboard

Click the button with the red circle with a
white X in it. Close killbox.
answer yes/ok to prompts an allow the machine to reboot

As the machine boots back up from the killbox part of this fix boot into safe mode by tapping F8 at boot, then use the up/down arrows to select safe mode

once in safe mode
locate and delete these folders:
Using Windows Explorer, locate the following files/folders, and delete them:
C:\DOCUME~1\HP_Owner\APPLIC~1\UPLOAD~1\linkfastcdrom.exe<==file
c:\docume~1\hp_owner\applic~1\upload~1\BiasRefMath.exe<==file

Exit Explorer, and reboot back to normal mode, post a fresh hijackthis log, and new results from findlop
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 Christian

Christian

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 31 May 2006 - 09:08 PM

ok i did as you said but I could not find the file c:\docume~1\hp_owner\applic~1\upload~1\BiasRefMath.exe

But besides that I did everything else. Heres the new logs:


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:02:42 PM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Easy Internet signup\locale.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\msvscc32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


Findlop:

[TRACE] Enumerating jobs and queues

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 01 June 2006 - 07:01 AM

Hello Christian,

Looks like we got rid of the LOP. Still there are a couple of files which concern me. But we are making great progress! Good work! :)

STEP 1.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\Program Files\Easy Internet signup\locale.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

STEP 2.
======
Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information from Kapersky in your next post.

Please post (reply) with the results from Jotti, Kapersky, and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

    Advertisements

Register to Remove


#11 Christian

Christian

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 01 June 2006 - 12:33 PM

ok...the file C:\Program Files\Easy Internet signup\locale.exe did not exist but there was a C:\Program Files\Easy Internet signup\locale.xml so I put that into Jotti just in case that is what you meant.

Jotti:

STATUS: FINISHEDComplete scanning result of "locale.xml", received in VirusTotal at 06.01.2006, 18:06:01 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.34 06.01.2006 no virus found
Authentium 4.93.8 05.31.2006 no virus found
Avast 4.7.844.0 06.01.2006 no virus found
AVG 386 06.01.2006 no virus found
BitDefender 7.2 06.01.2006 no virus found
CAT-QuickHeal 8.00 06.01.2006 no virus found
ClamAV devel-20060426 05.31.2006 no virus found
DrWeb 4.33 06.01.2006 no virus found
eTrust-InoculateIT 23.72.23 06.01.2006 no virus found
eTrust-Vet 12.6.2237 06.01.2006 no virus found
Ewido 3.5 06.01.2006 no virus found
Fortinet 2.77.0.0 05.31.2006 no virus found
F-Prot 3.16f 05.31.2006 no virus found
Ikarus 0.2.65.0 06.01.2006 no virus found
Kaspersky 4.0.2.24 06.01.2006 no virus found
McAfee 4774 05.31.2006 no virus found
Microsoft 1.1441 06.01.2006 no virus found
NOD32v2 1.1573 06.01.2006 no virus found
Norman 5.90.17 06.01.2006 no virus found
Panda 9.0.0.4 05.31.2006 no virus found
Sophos 4.05.0 06.01.2006 no virus found
Symantec 8.0 06.01.2006 no virus found
TheHacker 5.9.8.152 06.01.2006 no virus found
UNA 1.83 05.30.2006 no virus found
VBA32 3.11.0 05.31.2006 no virus found


Aditional Information
File size: 13257 bytes
MD5: f9cc390d856efbdc9cc3e3ca3745889f
SHA1: 20f3aaf713cec580bf0209f92b700876b5c3b1d3

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, June 01, 2006 2:23:22 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 1/06/2006
Kaspersky Anti-Virus database records: 185828
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
L:\

Scan Statistics:
Total number of scanned objects: 110761
Number of viruses found: 10
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 01:25:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\EPOB4JE7\rmtag2[2].js Infected: Trojan-Clicker.JS.Tagem.a skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018306.exe Infected: Backdoor.Win32.VB.ary skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018326.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP267\A0018412.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018629.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018670.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018671.exe Infected: Trojan-Downloader.Win32.PurityScan.bg skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018675.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018676.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018677.exe Infected: Trojan.Win32.LowZones.cw skipped
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP268\A0018678.hta Infected: Trojan-Downloader.VBS.Psyme.at skipped

Scan process completed.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 2:23:35 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetMeeting\nmwb.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\msvscc32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 01 June 2006 - 01:18 PM

Please download The Avenger by Swandog46 to the Desktop.
Click on Avenger.zip to open the file
Then, extract avenger.exe to the Desktop

Next, copy all the blue text below to the Clipboard by highlighting it and pressing Ctrl+C:

Files to delete:
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\EPOB4JE7\rmtag2[2].js
C:\WINDOWS\system32\msvscc32.exe

Folders to delete:
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\EPOB4JE7



Start The Avenger program by clicking its icon on the Desktop.
Under: Script file to execute, select: Input Script Manually
Now click on the Magnifying Glass icon
It opens a new window titled: View/edit script
Paste the text copied to clipboard into this window by pressing Ctrl+V.
Click Done

Next, click on the Green Light to begin the execution of the script
Answer Yes twice when prompted.

The Avenger automatically does following:
Restarts the computer.
On reboot, briefly opens a black command window on the Desktop. This is normal.

After the restart, it creates a log that opens with the results of Avenger’s actions.
This log is located at C:\avenger.txt

Please provide C:\avenger.txt in your reply.

open hijackthis, scan and check the boxes next to this line:
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\msvscc32.exe
then close all browsers and explorer windows, until only hijackthis is running and click fix checked

Please post (reply) with the C:\avenger.txt and a fresh hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#13 Christian

Christian

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 01 June 2006 - 01:30 PM

alright...here are the new logs.

Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\araijnyw

*******************

Script file located at: \??\C:\WINDOWS\kixioosf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\EPOB4JE7\rmtag2[2].js deleted successfully.
File C:\WINDOWS\system32\msvscc32.exe deleted successfully.
Folder C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\EPOB4JE7 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:25:14 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft ActiveSync\RICHINK.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#14 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 01 June 2006 - 01:57 PM

Scan with HijackThis. Place a check against each of the following:
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\Microsoft ActiveSync\RICHINK.exe<==file
Exit Explorer, and reboot as normal afterwards.

Can you run ewido again and post the log from ewido?

Post (reply) with ewido log and a fresh HijackThis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#15 Christian

Christian

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 01 June 2006 - 04:15 PM

ok...done that...

Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:05:09 PM, 6/1/2006
+ Report-Checksum: A0A4C88

+ Scan result:

[2508] C:\Program Files\WinRAR\wUnRAR.exe -> Adware.Agent : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@c5.zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@e-2dj6wfkigncjcdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@e-2dj6wgkyajazeap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@e-2dj6wgkyqmd5iep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@e-2dj6wglouoazkgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@e-2dj6wgmycjd5aao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@heritagegalleries.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@popuptraffic[1].txt -> TrackingCookie.Popuptraffic : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\WinRAR\wUnRAR.exe -> Adware.Agent : Cleaned with backup
C:\WINDOWS\system32\pwinlqez.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:05:24 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Related Topics



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users