Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Wasted 2 Days Already


  • This topic is locked This topic is locked
123 replies to this topic

#61 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 June 2006 - 03:55 PM

As far as I know they should be in C:\Windows\System32 I don't have any .exe files here. C:\Windows\Software Distribution\Download Only items like this: 16b2c96a0c414dfdb4d3cc288a4f819 I'd be careful about deleting anything though.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#62 MLL

MLL

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 07 June 2006 - 04:10 PM

Here is the new log. Rebooted and plug connection in. No pop ups yet. Ewido updated automatically. It seems to be taking longer for popups. They must be getting tired!! :rofl:



Logfile of HijackThis v1.99.1
Scan saved at 4:44:44 PM, on 6/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\kdx\KHost.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\S3tray2.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Spyware Stuff\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120564985247
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#63 MLL

MLL

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 07 June 2006 - 04:13 PM

Spysweeper just blocked access from count.exitchange.com. I think they are coming again. Must be slowing changing some files and then they'll show up! ****LDTate, I think all pop ups are opening IE even though I am using Firefox. Does this help?

Edited by MLL, 07 June 2006 - 04:20 PM.


#64 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 June 2006 - 04:20 PM

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\WINDOWS\System32\wuauclt.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#65 MLL

MLL

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 07 June 2006 - 04:34 PM

Nothing found. I noticed there is another file besides wuauclt.exe : C:\WindowsSystem32\wuauclt1.exe Should I scan that too? Only one pop up so far and the window (IE) did not display anything. Again, I only use Firefox but the pop ups are using IE. AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing

#66 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 June 2006 - 04:37 PM

wuauclt1.exe is the Windows Update AutoUpdate Client which runs in background to checks with Microsoft website for updates to the operating system. This file is located at "%WinDir%\System32" directory. If you find this file in directory other than System32, you should beware that it is virus or spyware.







Click HERE to download DllCompare. Start the Program with and click the Run Locate.com - be sure the \Windows\System32 directory is in the box and wait until the the blue text says it has 'completed the scan'.

Click the Compare button to start the next process. The results appear in two panes - files in the upper pane have been verified to 'exist', files in the lower pane were 'not able to be accessed'. Very few files should be listed in the lower pane when the Compare scan is complete. Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button and post the log here in this thread and wait for further instructions.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#67 MLL

MLL

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 07 June 2006 - 04:57 PM

I followed your instructions and clicked on " make a log of what was found" and the program got hung up twice. I had to copy and paste the results here: C:\WINDOWS\SYSTEM32\msvcp71.dll Thu Aug 4 2005 7:20:00p A.S.. 499,712 488.00 K C:\WINDOWS\SYSTEM32\msvcr71.dll Thu Aug 4 2005 7:20:02p A.S.. 348,160 340.00 K These 2 files were in the lower pane.

Edited by MLL, 07 June 2006 - 04:58 PM.


#68 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 June 2006 - 05:02 PM

Those are OK. I'm doing some digging to see what else we can try.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#69 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 June 2006 - 05:06 PM

You will need to update ewido to the latest definition files.

Launch ewido and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Note: This can take several minutes to load Sfae Mode.

Then please run Ewido, click on the Scanner run a full scan

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#70 MLL

MLL

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 07 June 2006 - 05:13 PM

The good thing is I only got one pop up which was blank. And it is already 6 p.m. here so it's been a while. Again, does it matter whether I am using Firefox and the popups are using IE? I usually use the quick access button on my keyboard to access Firefox. I thought I saw two browsers opened when I press the button when usually only one browser opens. This time, I double clicked the Firefox icon on my Desktop instead on using the button. Does that make any difference? Just trying to check everything out. Thanks.

    Advertisements

Register to Remove


#71 MLL

MLL

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 07 June 2006 - 05:19 PM

Oh, I forgot to tell you last night after using Yahoo Messenger and getting all sorts of pop ups again, I rebooted in Safe mode and kept the network unplugged. I then ran Ewido, SpySweeper and Dr.Web and save the logs. Do you want to see them? This was before I rebooted in Normal mode and reconnected Network after your #59 post at 3:45 p.m.

#72 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 June 2006 - 05:20 PM

Yes, I'd like to see the logs.

I'm sure they're coming through IE.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#73 MLL

MLL

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 07 June 2006 - 05:23 PM

I first ran Ewido after rebooting in Safe Mode with network unplugged: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 7:01:18 AM, 6/7/2006 + Report-Checksum: 47CE6257 + Scan result: :mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup :mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\73b3sqlf.default\cookiesnew.txt -> TrackingCookie.Zedo : Cleaned with backup ::Report End

#74 MLL

MLL

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 07 June 2006 - 05:25 PM

Next was SpySweeper and then Dr.Web. DrWeb did not find anything hence no report. After that, I did not do anything else until your instructions. Here is the Spysweeper report :

********
7:04 AM: | Start of Session, Wednesday, June 07, 2006 |
7:04 AM: Spy Sweeper started
7:04 AM: Sweep initiated using definitions version 693
7:04 AM: Starting Memory Sweep
7:05 AM: Memory Sweep Complete, Elapsed Time: 00:01:36
7:05 AM: Starting Registry Sweep
7:06 AM: Registry Sweep Complete, Elapsed Time:00:00:19
7:06 AM: Starting Cookie Sweep
7:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:06 AM: Starting File Sweep
7:11 AM: Found Adware: fullcontext
7:11 AM: srvvqyafkm.exe (ID = 303274)
7:33 AM: File Sweep Complete, Elapsed Time: 00:26:46
7:33 AM: Full Sweep has completed. Elapsed time 00:28:51
7:33 AM: Traces Found: 1
7:47 AM: Removal process initiated
7:47 AM: Quarantining All Traces: fullcontext
7:47 AM: Removal process completed. Elapsed time 00:00:08
********
10:16 PM: | Start of Session, Tuesday, June 06, 2006 |
10:16 PM: Spy Sweeper started
10:16 PM: Sweep initiated using definitions version 693
10:16 PM: Starting Memory Sweep
10:20 PM: Sweep Canceled
10:20 PM: Memory Sweep Complete, Elapsed Time: 00:04:06
10:20 PM: Traces Found: 0
11:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
11:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
11:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
11:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
********
10:13 PM: | Start of Session, Monday, June 05, 2006 |
10:13 PM: Spy Sweeper started
10:13 PM: Sweep initiated using definitions version 691
10:13 PM: Starting Memory Sweep
10:15 PM: Memory Sweep Complete, Elapsed Time: 00:01:02
10:15 PM: Starting Registry Sweep
10:15 PM: Registry Sweep Complete, Elapsed Time:00:00:15
10:15 PM: Starting Cookie Sweep
10:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:15 PM: Starting File Sweep
10:16 PM: Found Trojan Horse: trojan downloader matcash
10:16 PM: a0026882.exe (ID = 294587)
10:16 PM: Found Adware: visfx
10:16 PM: a0027293.exe (ID = 244295)
10:16 PM: Found Adware: enbrowser
10:16 PM: a0025729.exe (ID = 270029)
10:16 PM: Found Adware: clkoptimizer
10:16 PM: a0025730.exe (ID = 271215)
10:16 PM: Found Adware: surfsidekick
10:16 PM: a0026743.dll (ID = 302237)
10:16 PM: Found Adware: dollarrevenue
10:16 PM: a0026885.exe (ID = 302233)
10:16 PM: Found Trojan Horse: trojan-downloader-ac2
10:16 PM: a0026888.dll (ID = 276222)
10:16 PM: a0026889.dll (ID = 276222)
10:16 PM: Found Adware: zenosearchassistant
10:16 PM: a0026891.exe (ID = 293)
10:16 PM: Found Adware: purityscan
10:16 PM: a0027224.exe (ID = 296574)
10:16 PM: a0027233.exe (ID = 302231)
10:16 PM: a0027234.exe (ID = 302232)
10:16 PM: a0027235.exe (ID = 302233)
10:16 PM: a0027241.exe (ID = 244277)
10:16 PM: a0027276.exe (ID = 293)
10:16 PM: a0027287.exe (ID = 301896)
10:20 PM: a0027294.exe (ID = 270029)
10:20 PM: a0027299.exe (ID = 300281)
10:41 PM: File Sweep Complete, Elapsed Time: 00:26:32
10:41 PM: Full Sweep has completed. Elapsed time 00:27:58
10:41 PM: Traces Found: 18
10:52 PM: Removal process initiated
10:52 PM: Quarantining All Traces: clkoptimizer
10:52 PM: Quarantining All Traces: purityscan
10:52 PM: Quarantining All Traces: trojan downloader matcash
10:52 PM: Quarantining All Traces: visfx
10:52 PM: Quarantining All Traces: dollarrevenue
10:52 PM: Quarantining All Traces: enbrowser
10:52 PM: Quarantining All Traces: surfsidekick
10:52 PM: Quarantining All Traces: trojan-downloader-ac2
10:52 PM: Quarantining All Traces: zenosearchassistant
10:52 PM: Removal process completed. Elapsed time 00:00:07
10:53 PM: Deletion from quarantine initiated
10:53 PM: Processing: apropos
10:53 PM: Processing: clkoptimizer
10:53 PM: Processing: command
10:53 PM: Processing: coolwebsearch (cws)
10:53 PM: Processing: cws_ns3
10:53 PM: Processing: cws-aboutblank
10:53 PM: Processing: directrevenue-abetterinternet
10:53 PM: Processing: dollarrevenue
10:53 PM: Processing: enbrowser
10:53 PM: Processing: java byteverify
10:53 PM: Processing: linkmaker
10:53 PM: Processing: marketscore
10:53 PM: Processing: purityscan
10:53 PM: Processing: screensavers
10:53 PM: Processing: surfsidekick
10:53 PM: Processing: targetsaver
10:53 PM: Processing: trojan downloader matcash
10:53 PM: Processing: trojan-downloader-ac2
10:53 PM: Processing: trojan-dropper-agenthl
10:53 PM: Processing: visfx
10:53 PM: Processing: zenosearchassistant
10:53 PM: Deletion from quarantine completed. Elapsed time 00:00:01
4:03 PM: Your spyware definitions have been updated.
4:04 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
4:04 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
9:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:04 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:04 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:04 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:04 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
10:16 PM: | End of Session, Tuesday, June 06, 2006 |
********
10:12 PM: | Start of Session, Monday, June 05, 2006 |
10:12 PM: Spy Sweeper started
10:12 PM: Sweep initiated using definitions version 691
10:12 PM: Starting Memory Sweep
10:13 PM: Sweep Canceled
10:13 PM: Memory Sweep Complete, Elapsed Time: 00:00:47
10:13 PM: Traces Found: 0
10:13 PM: | End of Session, Monday, June 05, 2006 |
********
10:00 PM: | Start of Session, Monday, June 05, 2006 |
10:00 PM: Spy Sweeper started
10:00 PM: Sweep initiated using definitions version 691
10:00 PM: Starting Memory Sweep
10:01 PM: Sweep Canceled
10:01 PM: Memory Sweep Complete, Elapsed Time: 00:00:23
10:01 PM: Traces Found: 0
********
2:11 PM: | Start of Session, Monday, June 05, 2006 |
2:11 PM: Spy Sweeper started
2:11 PM: Sweep initiated using definitions version 691
2:11 PM: Starting Memory Sweep
2:14 PM: Memory Sweep Complete, Elapsed Time: 00:03:07
2:14 PM: Starting Registry Sweep
2:14 PM: Found Adware: apropos
2:14 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
2:14 PM: Found Adware: coolwebsearch (cws)
2:14 PM: HKCR\clsid\{6ee714d9-32a7-986a-b54e-a994f454edd3}\ (2 subtraces) (ID = 107303)
2:14 PM: HKLM\software\classes\clsid\{6ee714d9-32a7-986a-b54e-a994f454edd3}\ (2 subtraces) (ID = 108691)
2:14 PM: Found Adware: cws-aboutblank
2:14 PM: HKCR\clsid\{8f6c5de9-fddf-569a-0a0f-fef0e3957f0f}\ (2 subtraces) (ID = 113181)
2:14 PM: HKLM\software\classes\clsid\{8f6c5de9-fddf-569a-0a0f-fef0e3957f0f}\ (2 subtraces) (ID = 114762)
2:14 PM: Found Adware: cws_ns3
2:14 PM: HKCR\clsid\{30d83f56-da50-b817-ef00-1deb557b32f8}\ (2 subtraces) (ID = 118125)
2:14 PM: HKCR\clsid\{8669abb2-7410-3460-f449-e119dca24cc4}\ (4 subtraces) (ID = 118546)
2:14 PM: HKLM\software\classes\clsid\{30d83f56-da50-b817-ef00-1deb557b32f8}\ (2 subtraces) (ID = 119994)
2:14 PM: HKLM\software\classes\clsid\{8669abb2-7410-3460-f449-e119dca24cc4}\ (4 subtraces) (ID = 120392)
2:14 PM: Found Adware: purityscan
2:14 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\conflict.1\mediaticketsinstaller.ocx (ID = 139075)
2:14 PM: Found Adware: screensavers
2:14 PM: HKLM\software\screensavers.com\ (14 subtraces) (ID = 140569)
2:14 PM: Found Adware: enbrowser
2:14 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808)
2:14 PM: Found Adware: command
2:14 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
2:14 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
2:14 PM: Found Adware: marketscore
2:14 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{2cbd1bb3-9ac7-4d7f-9023-8a3e8dfb841a}\ (12 subtraces) (ID = 1141383)
2:14 PM: Found Adware: linkmaker
2:14 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
2:14 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
2:14 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
2:14 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
2:14 PM: HKU\S-1-5-21-3151056399-85685617-3384630467-1003\software\system\sysuid\ (1 subtraces) (ID = 731748)
2:14 PM: Registry Sweep Complete, Elapsed Time:00:00:15
2:14 PM: Starting Cookie Sweep
2:14 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:14 PM: Starting File Sweep
2:19 PM: Found Trojan Horse: trojan-dropper-agenthl
2:19 PM: vsl03.exe (ID = 297448)
2:19 PM: vsl05.exe (ID = 299775)
2:21 PM: pf78.exe (ID = 244430)
2:22 PM: jiub5f27y.hhy (ID = 276229)
2:27 PM: Found Adware: targetsaver
2:27 PM: class-barrel (ID = 78229)
2:32 PM: vocabulary (ID = 78283)
2:41 PM: Found Adware: directrevenue-abetterinternet
2:41 PM: belt.inf (ID = 83154)
2:41 PM: backup-20060605-101804-258.inf (ID = 74756)
2:41 PM: Found Adware: java byteverify
2:41 PM: classload.jar-1f8050ce-6aa381c3.zip (ID = 64823)
2:42 PM: File Sweep Complete, Elapsed Time: 00:27:33
2:42 PM: Full Sweep has completed. Elapsed time 00:31:01
2:42 PM: Traces Found: 106
2:43 PM: Removal process initiated
2:43 PM: Quarantining All Traces: cws_ns3
2:43 PM: Quarantining All Traces: cws-aboutblank
2:43 PM: Quarantining All Traces: directrevenue-abetterinternet
2:43 PM: Quarantining All Traces: purityscan
2:43 PM: Quarantining All Traces: apropos
2:43 PM: Quarantining All Traces: coolwebsearch (cws)
2:43 PM: Quarantining All Traces: enbrowser
2:43 PM: Quarantining All Traces: linkmaker
2:43 PM: Quarantining All Traces: marketscore
2:43 PM: Quarantining All Traces: trojan-dropper-agenthl
2:43 PM: Quarantining All Traces: command
2:43 PM: Quarantining All Traces: java byteverify
2:43 PM: Quarantining All Traces: screensavers
2:43 PM: Quarantining All Traces: targetsaver
2:44 PM: Removal process completed. Elapsed time 00:01:01
3:00 PM: The Spy Communication shield has blocked access to: paypopup.com
3:00 PM: The Spy Communication shield has blocked access to: paypopup.com
3:00 PM: The Spy Communication shield has blocked access to: paypopup.com
3:00 PM: The Spy Communication shield has blocked access to: paypopup.com
3:01 PM: The Spy Communication shield has blocked access to: paypopup.com
3:01 PM: The Spy Communication shield has blocked access to: paypopup.com
3:01 PM: The Spy Communication shield has blocked access to: paypopup.com
3:01 PM: The Spy Communication shield has blocked access to: paypopup.com
3:01 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
3:01 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
3:01 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
3:01 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
3:01 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
3:01 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
3:01 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
3:01 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
3:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
3:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
3:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
3:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
3:53 PM: The Spy Communication shield has blocked access to: paypopup.com
3:53 PM: The Spy Communication shield has blocked access to: paypopup.com
3:53 PM: The Spy Communication shield has blocked access to: paypopup.com
3:53 PM: The Spy Communication shield has blocked access to: paypopup.com
3:53 PM: The Spy Communication shield has blocked access to: paypopup.com
3:53 PM: The Spy Communication shield has blocked access to: paypopup.com
3:53 PM: The Spy Communication shield has blocked access to: paypopup.com
3:53 PM: The Spy Communication shield has blocked access to: paypopup.com
4:39 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
4:39 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
4:39 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
4:39 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
4:39 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
4:39 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
4:39 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
4:39 PM: The Spy Communication shield has blocked access to: apps.deskwizz.com
4:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
5:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:07 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:07 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:07 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:07 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:18 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:18 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:18 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:18 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:30 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:30 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:30 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:30 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
********
2:08 PM: | Start of Session, Monday, June 05, 2006 |
2:08 PM: Spy Sweeper started
2:10 PM: Your spyware definitions have been updated.
2:11 PM: | End of Session, Monday, June 05, 2006 |


******I deleted everything quarantined!

Edited by MLL, 07 June 2006 - 05:27 PM.


#75 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 June 2006 - 05:46 PM

Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information from Kapersky in your next post.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users