Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Surf SideKick 3 Pop-ups

Started by jeannette , Jun 01 2006 11:51 PM

  • This topic is locked This topic is locked
10 replies to this topic

#1 jeannette

jeannette

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 01 June 2006 - 11:51 PM

Hi,
I'm trying to clean up my parents' computer which has been plagued with pop-ups for months. I've run various scans with Adaware, Spybot, CWShredder, TrojanHunter, and Cleanup but SSK 3 refuses to leave. I've tried to 'fix' the SSK entries in HJT, but they always come back. Everytime I turn on the computer, I'm overrun with pop-ups. People have advised me to uninstall, but I couldn't find the program in Add/Remove. I was not able to delete the SSK3 folder in Program Files. Inside the folder were two files that I cannot delete: sskbho.dll and sskcore.dll. When I go into the Registry Editor, the files deleted come back almost right away. I'm running out of ideas, I hope someone can help!

Jeannette

Logfile of HijackThis v1.99.1
Scan saved at 9:53:40 PM, on 6/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\PROGRA~1\NAVNT\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\NAVNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\BMCENT~1\BMClient.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLServiceHost.exe
C:\PROGRA~1\NAVNT\vptray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\n?svc32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINNT\YSTEM3~1\alg.exe
C:\program files\common files\aol\1100833569\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLServiceHost.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\HijackThis\HijackThis.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\tkcew.exe
F3 - REG:win.ini: load= ualalloc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,ffjhiey.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINNT\system32\adrotate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [7NWLG] C:\documents and settings\administrator\local settings\temp\7NWLG.exe
O4 - HKLM\..\Run: [4D2##9C3HLPN6@] C:\WINNT\system32\Hsyfa.exe
O4 - HKLM\..\Run: [AutoLoaderqF2v1bKKPKac] "C:\WINNT\System32\pdhpbrd.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [tfyjcrvcju] C:\WINNT\System32\rkwlllo.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100833569\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [l0] C:\windows\l0.exe
O4 - HKLM\..\Run: [85u1] C:\documents and settings\administrator\local settings\temp\85u1.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAVNT\vptray.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [adstart] iexplore.exe http://__adstart
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Wcucfy] C:\WINNT\system32\n?svc32.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Ptwe] "C:\WINNT\YSTEM3~1\alg.exe" -vt rbnd
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134705761684
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://pacsweb/AMI/install/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - http://pacsweb/AMI/i...l/amiviewer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab27571.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D93E8DB2-13F1-4AE5-8BA6-F1A77B72D32B}: NameServer = 140.163.233.106,140.163.103.193
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O20 - AppInit_DLLs: repairs303169560.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NAVNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NAVNT\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Advertisements

Register to Remove

#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 02 June 2006 - 01:28 PM

Hello jeannette and Welcome to TomCoyote,

You have more than SSK 3. Let's start out with a couple of scans to clean up a few items.

STEP 1.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here
  • Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so.
    (This may take several minutes)
  • Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
  • Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
  • When the sweep has finished, click Remove. Click Select All and then Next
  • From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
  • Exit Spy Sweeper.

STEP 2.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Empty Recycle Bin
Reboot

Please post the results from SpySweeper, ewido and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 jeannette

jeannette

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 03 June 2006 - 09:48 AM

Ok. Thanks for the help by the way. Here are the scan logs.


Jeannette


********
2:15 AM: | Start of Session, Saturday, June 03, 2006 |
2:15 AM: Spy Sweeper started
2:15 AM: Sweep initiated using definitions version 691
2:15 AM: Found Adware: surfsidekick
2:15 AM: HKCR\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\inprocserver32\ (2 subtraces) (ID = 1055337)
2:15 AM: SskBho.dll (ID = 1055337)
2:15 AM: Starting Memory Sweep
2:17 AM: Detected running threat: C:\WINNT\system32\repairs303169560.dll (ID = 269153)
2:27 AM: Found Adware: purityscan
2:27 AM: Detected running threat: C:\WINNT\?ystem32\alg.exe (ID = 230)
2:29 AM: Memory Sweep Complete, Elapsed Time: 00:14:01
2:29 AM: Starting Registry Sweep
2:30 AM: Found Adware: ie driver
2:30 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{8f9fbeb8-d216-4d6c-8d21-513157e09c0d}\ (4 subtraces) (ID = 128062)
2:30 AM: HKCR\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143389)
2:30 AM: HKLM\software\classes\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143392)
2:30 AM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
2:30 AM: HKLM\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143406)
2:30 AM: Found Adware: wildmedia
2:30 AM: HKCR\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146688)
2:30 AM: HKLM\software\classes\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146699)
2:30 AM: HKLM\software\microsoft\windows\currentversion\uninstall\middadle\ (1 subtraces) (ID = 146958)
2:30 AM: Found Adware: winad
2:30 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 775720)
2:30 AM: HKLM\software\microsoft\windows nt\currentversion\windows\ || appinit_dlls (ID = 819064)
2:30 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\winnt\downloaded program files\mediagatewayx.dll (ID = 838612)
2:30 AM: Found Adware: elitemediagroup-pop64
2:30 AM: HKCR\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967541)
2:30 AM: HKLM\software\classes\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967601)
2:30 AM: Found Adware: ezula ilookup
2:30 AM: HKLM\software\microsoft\bit1ocker\ (1 subtraces) (ID = 1157705)
2:30 AM: Found Adware: safesearch
2:30 AM: HKCR\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1160022)
2:30 AM: HKCR\iman.riemon\ (5 subtraces) (ID = 1160080)
2:30 AM: HKCR\iman.riemon.1\ (3 subtraces) (ID = 1160086)
2:30 AM: HKLM\software\microsoft\windows\currentversion\app paths\irism\ (2 subtraces) (ID = 1160093)
2:30 AM: HKLM\software\microsoft\windows\currentversion\app paths\irssyncd\ (2 subtraces) (ID = 1160096)
2:30 AM: HKLM\software\irismon\ (22 subtraces) (ID = 1165615)
2:30 AM: HKLM\software\microsoft\windows\currentversion\uninstall\irismon\ (2 subtraces) (ID = 1165617)
2:30 AM: HKLM\software\classes\iman.riemon\ (5 subtraces) (ID = 1165636)
2:30 AM: HKLM\software\classes\iman.riemon.1\ (3 subtraces) (ID = 1165642)
2:30 AM: HKLM\software\classes\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1165660)
2:30 AM: Found Adware: linkmaker
2:30 AM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
2:30 AM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
2:30 AM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
2:30 AM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
2:31 AM: HKCR\da.bomb\ (5 subtraces) (ID = 1221354)
2:31 AM: HKCR\da.bomb.1\ (3 subtraces) (ID = 1221359)
2:31 AM: HKCR\onone.theimp\ (5 subtraces) (ID = 1221362)
2:31 AM: HKCR\onone.theimp.1\ (3 subtraces) (ID = 1221367)
2:31 AM: HKCR\clsid\{ed5d884b-1a35-482e-bea1-dd52f75b6138}\ (11 subtraces) (ID = 1221449)
2:31 AM: HKLM\software\classes\da.bomb\ (5 subtraces) (ID = 1221507)
2:31 AM: HKLM\software\classes\da.bomb.1\ (3 subtraces) (ID = 1221512)
2:31 AM: HKLM\software\classes\onone.theimp\ (5 subtraces) (ID = 1221515)
2:31 AM: HKLM\software\classes\onone.theimp.1\ (3 subtraces) (ID = 1221523)
2:31 AM: HKLM\software\classes\clsid\{ed5d884b-1a35-482e-bea1-dd52f75b6138}\ (11 subtraces) (ID = 1221605)
2:31 AM: Found Adware: trafficsolution
2:31 AM: HKCR\bannerrotator.rotator\ (5 subtraces) (ID = 1337087)
2:31 AM: HKCR\clsid\{d117a61f-92c3-4450-a0c8-f425b14d4127}\ (11 subtraces) (ID = 1337097)
2:31 AM: HKCR\typelib\{defdeada-c390-4eb9-97fa-59d56b21e5d5}\ (9 subtraces) (ID = 1337109)
2:31 AM: HKLM\software\classes\clsid\{d117a61f-92c3-4450-a0c8-f425b14d4127}\ (11 subtraces) (ID = 1337128)
2:31 AM: HKLM\software\classes\typelib\{defdeada-c390-4eb9-97fa-59d56b21e5d5}\ (9 subtraces) (ID = 1337140)
2:31 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d117a61f-92c3-4450-a0c8-f425b14d4127}\ (1 subtraces) (ID = 1342110)
2:31 AM: HKU\S-1-5-21-1060284298-2146799379-1708537768-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
2:31 AM: HKU\S-1-5-21-1060284298-2146799379-1708537768-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
2:31 AM: HKU\S-1-5-21-1060284298-2146799379-1708537768-500\software\surfsidekick3\ (2 subtraces) (ID = 143412)
2:31 AM: HKU\S-1-5-21-1060284298-2146799379-1708537768-500\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
2:31 AM: HKU\S-1-5-21-1060284298-2146799379-1708537768-500\software\microsoft\internet explorer\main\ || updater (ID = 146721)
2:31 AM: Found Adware: cydoor
2:31 AM: HKU\WRSS_Profile_S-1-5-21-1060284298-2146799379-1708537768-1000\software\cydoor\ (300 subtraces) (ID = 639126)
2:31 AM: HKU\WRSS_Profile_S-1-5-21-1060284298-2146799379-1708537768-1000\software\cydoor services\ (10 subtraces) (ID = 639128)
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: TIdentifyRegistryObj.Identify: Unable to map user: S-1-5-18
2:31 AM: Registry Sweep Complete, Elapsed Time:00:01:15
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: Cannot open file "C:\Documents and Settings\SYSTEM\NTUser.dat". The process cannot access the file because it is being used by another process
2:31 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-18
2:31 AM: Starting Cookie Sweep
2:31 AM: Found Spy Cookie: 888 cookie
2:31 AM: administrator@888[1].txt (ID = 2019)
2:31 AM: administrator@888[2].txt (ID = 2019)
2:31 AM: Found Spy Cookie: yieldmanager cookie
2:31 AM: administrator@ad.yieldmanager[2].txt (ID = 3751)
2:31 AM: Found Spy Cookie: hbmediapro cookie
2:31 AM: administrator@adopt.hbmediapro[2].txt (ID = 2768)
2:31 AM: Found Spy Cookie: cassava cookie
2:31 AM: administrator@cassava[1].txt (ID = 2362)
2:31 AM: Found Spy Cookie: exitexchange cookie
2:31 AM: administrator@exitexchange[1].txt (ID = 2633)
2:31 AM: Found Spy Cookie: kmpads cookie
2:31 AM: administrator@kmpads[2].txt (ID = 2909)
2:31 AM: Found Spy Cookie: webtrends cookie
2:31 AM: administrator@m.webtrends[2].txt (ID = 3669)
2:31 AM: Found Spy Cookie: realmedia cookie
2:31 AM: administrator@realmedia[1].txt (ID = 3235)
2:31 AM: Found Spy Cookie: videodome cookie
2:31 AM: administrator@videodome[1].txt (ID = 3638)
2:31 AM: administrator@www.888[1].txt (ID = 2020)
2:31 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
2:31 AM: Starting File Sweep
2:31 AM: c:\program files\surfsidekick 3 (2 subtraces) (ID = -2147480186)
2:31 AM: Found Adware: delfin
2:31 AM: c:\documents and settings\all users\application data\pcsvc (8 subtraces) (ID = -2147481135)
2:34 AM: Found Adware: clkoptimizer
2:34 AM: epespie.dll (ID = 216821)
2:35 AM: nst43a.dll (ID = 180772)
2:55 AM: Found Adware: gain - common components
2:55 AM: gatorpdpsetup.log (ID = 61399)
3:05 AM: google.com.esp (ID = 61446)
3:08 AM: Found Adware: brilliant digital
3:08 AM: config3.ini (ID = 51769)
3:08 AM: virtualvegas.com.esp (ID = 61636)
3:15 AM: lycos.com.esp (ID = 61509)
3:32 AM: Found Adware: onflow
3:32 AM: onflowplayer0.dll (ID = 71515)
3:33 AM: tkcew.exe (ID = 268934)
3:34 AM: 00017199.exe (ID = 73246)
3:39 AM: uninstaller.exe (ID = 88858)
3:43 AM: Found Adware: blazefind
3:43 AM: atl.dll (ID = 51387)
3:47 AM: Found Adware: cws-aboutblank
3:47 AM: 00017197.dll (ID = 55234)
3:50 AM: bitsprx4.dll (ID = 292648)
3:51 AM: fvfvdjf.exe.tcf (ID = 216822)
3:51 AM: ealaxy.exe (ID = 268995)
3:51 AM: HKU\S-1-5-21-1060284298-2146799379-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Run || aovsy (ID = 0)
3:53 AM: ffjhiey.exe (ID = 268932)
3:54 AM: sskknwrd.dll (ID = 77733)
3:57 AM: bu7dyo4f.exe (ID = 275848)
3:57 AM: o6k1p.ipn (ID = 276229)
3:57 AM: Found Adware: quicklink search toolbar
3:57 AM: eyy0z2eo.exe.tcf (ID = 271300)
3:57 AM: ss1205.exe.tcf (ID = 278244)
3:57 AM: bk.exe (ID = 269148)
3:57 AM: Found Adware: mirar webband
3:57 AM: 876057.exe.tcf (ID = 185463)
3:57 AM: pupgb.dat (ID = 209705)
3:57 AM: jxadj.dat (ID = 268995)
3:57 AM: irismon.dll.tcf (ID = 246191)
3:57 AM: repairs303169560.dll (ID = 269153)
3:57 AM: justin2.exe (ID = 247604)
3:58 AM: wawqrp.exe.tcf (ID = 209705)
3:59 AM: 00019747 (ID = 88059)
3:59 AM: Found Adware: wild media - statblaster
3:59 AM: 00018764 (ID = 77117)
3:59 AM: 00016444 (ID = 88059)
3:59 AM: 00018594 (ID = 77117)
3:59 AM: 00015833 (ID = 77117)
3:59 AM: 00019222 (ID = 88059)
3:59 AM: 00019748 (ID = 77117)
3:59 AM: 00019454 (ID = 88059)
3:59 AM: 00017828 (ID = 77117)
3:59 AM: 00017307 (ID = 88059)
3:59 AM: 00016672 (ID = 77117)
3:59 AM: 00015836 (ID = 88059)
3:59 AM: 00019645 (ID = 88059)
3:59 AM: 00019714 (ID = 88059)
3:59 AM: 00019745 (ID = 88059)
3:59 AM: 00020147 (ID = 88059)
3:59 AM: 00015457 (ID = 88059)
3:59 AM: 00015640 (ID = 88059)
3:59 AM: 00015721 (ID = 88059)
3:59 AM: 00015835 (ID = 88059)
3:59 AM: 00016098 (ID = 88059)
3:59 AM: 00016248 (ID = 88059)
3:59 AM: 00016352 (ID = 88059)
3:59 AM: 00016673 (ID = 88059)
3:59 AM: 00016674 (ID = 88059)
3:59 AM: 00017306 (ID = 77117)
3:59 AM: 00017608 (ID = 88059)
4:00 AM: 00017787 (ID = 88059)
4:00 AM: 00017827 (ID = 88059)
4:00 AM: 00018762 (ID = 88059)
4:00 AM: 00017963 (ID = 77117)
4:00 AM: 00018763 (ID = 88059)
4:00 AM: 00019110 (ID = 77117)
4:00 AM: 00019221 (ID = 88059)
4:00 AM: 00019223 (ID = 77117)
4:00 AM: tempwm_fuins.bat (ID = 88794)
4:00 AM: sites.csf (ID = 61583)
4:00 AM: eguard.com.csf (ID = 61348)
4:00 AM: Warning: Invalid file - not a PKZip file
4:00 AM: Warning: Invalid file - not a PKZip file
4:03 AM: File Sweep Complete, Elapsed Time: 01:32:13
4:03 AM: Full Sweep has completed. Elapsed time 01:47:11
4:03 AM: Traces Found: 667
4:16 AM: Removal process initiated
4:16 AM: Quarantining All Traces: clkoptimizer
4:16 AM: Quarantining All Traces: cws-aboutblank
4:16 AM: Quarantining All Traces: ie driver
4:16 AM: Quarantining All Traces: purityscan
4:16 AM: Quarantining All Traces: wildmedia
4:16 AM: Quarantining All Traces: blazefind
4:16 AM: Quarantining All Traces: delfin
4:16 AM: Quarantining All Traces: linkmaker
4:16 AM: Quarantining All Traces: quicklink search toolbar
4:16 AM: Quarantining All Traces: safesearch
4:16 AM: Quarantining All Traces: surfsidekick
4:17 AM: surfsidekick is in use. It will be removed on reboot.
4:17 AM: SskBho.dll is in use. It will be removed on reboot.
4:17 AM: c:\program files\surfsidekick 3 is in use. It will be removed on reboot.
4:17 AM: repairs303169560.dll is in use. It will be removed on reboot.
4:17 AM: C:\WINNT\system32\repairs303169560.dll is in use. It will be removed on reboot.
4:17 AM: Quarantining All Traces: winad
4:17 AM: Quarantining All Traces: brilliant digital
4:17 AM: Quarantining All Traces: cydoor
4:17 AM: Quarantining All Traces: elitemediagroup-pop64
4:17 AM: Quarantining All Traces: ezula ilookup
4:17 AM: Quarantining All Traces: mirar webband
4:17 AM: Quarantining All Traces: onflow
4:17 AM: Quarantining All Traces: trafficsolution
4:17 AM: Quarantining All Traces: wild media - statblaster
4:17 AM: Quarantining All Traces: 888 cookie
4:17 AM: Quarantining All Traces: cassava cookie
4:17 AM: Quarantining All Traces: exitexchange cookie
4:17 AM: Quarantining All Traces: gain - common components
4:17 AM: Quarantining All Traces: hbmediapro cookie
4:17 AM: Quarantining All Traces: kmpads cookie
4:18 AM: Quarantining All Traces: realmedia cookie
4:18 AM: Quarantining All Traces: videodome cookie
4:18 AM: Quarantining All Traces: webtrends cookie
4:18 AM: Quarantining All Traces: yieldmanager cookie
4:21 AM: Preparing to restart your computer. Please wait...
4:21 AM: Removal process completed. Elapsed time 00:05:47
********
2:13 AM: | Start of Session, Saturday, June 03, 2006 |
2:13 AM: Spy Sweeper started
2:15 AM: Your spyware definitions have been updated.
2:15 AM: | End of Session, Saturday, June 03, 2006 |


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:35:40 AM, 6/3/2006
+ Report-Checksum: 7F1640F2

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINNT\system32\irsmmizk.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\swintrag.exe.tcf -> Adware.ZenoSearch : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 5:40:29 AM, on 6/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\PROGRA~1\NAVNT\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NAVNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NAVNT\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLHostManager.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLServiceHost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200662174210_mcinfo.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\n?svc32.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\program files\common files\aol\1100833569\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLServiceHost.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load= ualalloc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,ffjhiey.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [7NWLG] C:\documents and settings\administrator\local settings\temp\7NWLG.exe
O4 - HKLM\..\Run: [4D2##9C3HLPN6@] C:\WINNT\system32\Hsyfa.exe
O4 - HKLM\..\Run: [AutoLoaderqF2v1bKKPKac] "C:\WINNT\System32\pdhpbrd.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [tfyjcrvcju] C:\WINNT\System32\rkwlllo.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100833569\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [l0] C:\windows\l0.exe
O4 - HKLM\..\Run: [85u1] C:\documents and settings\administrator\local settings\temp\85u1.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAVNT\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [adstart] iexplore.exe http://__adstart
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200662174210_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Wcucfy] C:\WINNT\system32\n?svc32.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Ptwe] "C:\WINNT\YSTEM3~1\alg.exe" -vt rbnd
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134705761684
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://pacsweb/AMI/install/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - http://pacsweb/AMI/i...l/amiviewer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab27571.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D93E8DB2-13F1-4AE5-8BA6-F1A77B72D32B}: NameServer = 140.163.233.106,140.163.103.193
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O20 - AppInit_DLLs: repairs303169560.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NAVNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NAVNT\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 03 June 2006 - 10:42 AM

Hello and Welcome to the Forums!

STEP 1.
======
Cleaning Files

Navigate to C:\Windows\Prefetch to delete the items in the Prefetch folder (but not the Prefetch folder itself)
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp to delete the items in the Temp folder (but not the Temp folder itself)
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp to delete the items in the Temp folder (but not the Temp folder itself)
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Note: If you cannot seem to navigate to the Temp folder above , use the Search feature and search on C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp\*.*

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 2.
======
Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".
After all of the fixes are complete it is very important that you enable SpySweeper again.

Disable Trojan Hunter Guard:
Please disable Trojan Hunter Guard, as it may interfere with the fix.
To disable Trojan Hunter Guard:
  • Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue icon with a magnifying glass that can be difficult to see but the handle is red.
  • Right click it and select settings. Uncheck "Load at startup" and "Enabled"
Once your log is clean you can re-enable Trojan Hunter Guard.

Disable Microsoft Windows Defender:
We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following:
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load= ualalloc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,ffjhiey.exe
O4 - HKLM\..\Run: [7NWLG] C:\documents and settings\administrator\local settings\temp\7NWLG.exe
O4 - HKLM\..\Run: [AutoLoaderqF2v1bKKPKac] "C:\WINNT\System32\pdhpbrd.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [tfyjcrvcju] C:\WINNT\System32\rkwlllo.exe
O4 - HKLM\..\Run: [l0] C:\windows\l0.exe
O4 - HKLM\..\Run: [85u1] C:\documents and settings\administrator\local settings\temp\85u1.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://__adstart
O4 - HKCU\..\Run: [Wcucfy] C:\WINNT\system32\n?svc32.exe
O4 - HKCU\..\Run: [Ptwe] "C:\WINNT\YSTEM3~1\alg.exe" -vt rbnd
O20 - AppInit_DLLs: repairs303169560.dll
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them if they exist:
C:\WINNT\System32\pdhpbrd.exe<==file
C:\WINNT\System32\rkwlllo.exe<==file
C:\windows\l0.exe<==file
C:\WINNT\YSTEM3~1\alg.exe<==file
Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.

Edited by Susan528, 03 June 2006 - 10:42 AM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 jeannette

jeannette

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 03 June 2006 - 12:28 PM

I tried to follow all your of your instructions, but there were some files that I could not find. I emptied all the Temp files for all users, though in some cases they were already empty. I don't know if this is weird, but the WINDOWS folder didn't have anything except a readme file and a rvwhec.dll. The TEMP folder was in a folder all one its own and I wasn't able to find the Prefetch folder. I then deleted all intenet files, disabled Spysweeper, Trojan Hunter, and WindowsDefender, ran Hijackthis and rebooted in safemode as you've instructed; however, I wasn't able to find the files you wanted me to delete. I guess they didn't exist? Anyway, here is the HJT Log after I rebooted the computer again.

Thanks

JEannette

Logfile of HijackThis v1.99.1
Scan saved at 2:20:15 PM, on 6/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\PROGRA~1\NAVNT\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NAVNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\NAVNT\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200662174210_mcinfo.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLHostManager.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLServiceHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\program files\common files\aol\1100833569\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLServiceHost.exe
E:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [4D2##9C3HLPN6@] C:\WINNT\system32\Hsyfa.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100833569\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAVNT\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200662174210_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134705761684
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://pacsweb/AMI/install/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - http://pacsweb/AMI/i...l/amiviewer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab27571.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D93E8DB2-13F1-4AE5-8BA6-F1A77B72D32B}: NameServer = 140.163.233.106,140.163.103.193
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NAVNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NAVNT\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 03 June 2006 - 04:14 PM

Hello Jeannette,

Sorry about the instructions about the Prefetch folder which is Windows XP folder. I am used to Windows XP and forgot you have Windows 2000.

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".
After all of the fixes are complete it is very important that you enable SpySweeper again.

Disable Microsoft Windows Defender:
We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save
After all of the fixes are complete it is very important that you enable Real-time Protection again.

You have the Peper Trojan
1. Please Download PeperFix.exe,
2. Start the tool and click Find and Fix.
3. Reboot to finish removing what it found.
4. Run the tool a second time
5. Reboot to finish removing the entries.

Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following:
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200662174210_mcinfo.exe /insfin
O4 - HKLM\..\Run: [4D2##9C3HLPN6@] C:\WINNT\system32\Hsyfa.exe
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them if they exist :
You may need to search for 200662174210_mcinfo.exe to locate it.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200662174210_mcinfo.exe<==file
C:\WINNT\system32\Hsyfa.exe<==file
Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 jeannette

jeannette

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 03 June 2006 - 07:18 PM

Hey,
I disabled Spysweeper and Windows Defender before downloading Peperfix. When I ran it however, the program didnt' find anything. I rebooted the computer and ran it again but it still didn't find anything. Then I ran HJT and fixed the two files as instructed. I rebooted into safe mode and found and deleted the first of the two files. I rebooted again into normal mode and here is a newest HJT log.

THanks,

Jeannette

Logfile of HijackThis v1.99.1
Scan saved at 9:15:33 PM, on 6/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\PROGRA~1\NAVNT\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NAVNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\NAVNT\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLServiceHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\program files\common files\aol\1100833569\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1100833569\ee\AOLServiceHost.exe
E:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100833569\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAVNT\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134705761684
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://pacsweb/AMI/install/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - http://pacsweb/AMI/i...l/amiviewer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab27571.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D93E8DB2-13F1-4AE5-8BA6-F1A77B72D32B}: NameServer = 140.163.233.106,140.163.103.193
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mskcc.root.mskcc.org,mskcc.org
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NAVNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NAVNT\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 03 June 2006 - 07:38 PM

Hello Jeannette,

Your log appears to be clean. I would like you to run another scan just to double-check things.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information from Kapersky in your reply please.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 jeannette

jeannette

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 04 June 2006 - 12:58 AM

Hi, I ran the Kaspersky Scan and here is the log. Thanks JEannette ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Sunday, June 04, 2006 2:53:30 AM Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 4/06/2006 Kaspersky Anti-Virus database records: 186441 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 84911 Number of viruses found: 3 Number of infected objects: 4 Number of suspicious objects: 0 Duration of the scan process: 02:20:28 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D00000.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D00001.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05F40000.VBN Infected: Exploit.HTML.Mht skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06300000.VBN Infected: Trojan.Win32.Runner.h skipped Scan process completed.

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 04 June 2006 - 02:12 AM

Hello Jeannette,

Those files in Kapersky log are quarantined so pose no threat. If you want to permanently delete them, you can follow the instructions here:
http://service1.syma...000041213443506

Please do the following:

STEP 1.
======
Cleanmgr
To clean temporary files:
  • Go > start > run and type cleanmgr and click OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.
STEP 2.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  • Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • More info on how to prevent malware you can also find here (By Tony Klein)
Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#11 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 07 June 2006 - 05:20 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·