Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

mp62


  • This topic is locked This topic is locked
27 replies to this topic

#16 mp62

mp62

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 22 June 2006 - 06:09 PM

When I attempt to delete the file with Avenger I get the following response: ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Error: selected file does not appear to be a valid script. Error code: 1813

Edited by mp62, 22 June 2006 - 06:10 PM.

    Advertisements

Register to Remove


#17 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 23 June 2006 - 08:51 AM

Hello mp62,

Does this file exist? Can you navigate and find it?

To me it seemed that Killbox should have captured it, but the Kapersky scan still showed it as present down at the bottom of the scans you posted. Now Avenger gives an error-- it is as though the file does not exist.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS2218.exe

Let's try a different scan.

======
Panda Active Scan
Please go to Panda ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
======
Free TrendMicro Housecall scan:
You'll need to use Internet Explorer or Netscape browsers to run this scan.
Vist the TrendMicro Housecall website.
  • Select your country from the drop-down list and click "Go".
  • Choose "Yes" at the ActiveX Security Warning prompt.
  • Please wait while the Housecall engine is updated.
  • Select the drives to be scanned by placing a check in their respective boxes.
  • Check the "Auto Clean" box.
  • Click "SCAN" in order to begin scanning your system.
  • Please be patient while Housecall scans your system for malicious files.
  • If not auto-cleaned, remove anything it finds.
  • Click "Close" to exit the Housecall scanner.
  • Choose "Yes" at the HouseCall message prompt.
Post (reply) the contents of the Panda scan report, and let me know what TrendMicro finds.

Edited by Susan528, 23 June 2006 - 08:54 AM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#18 mp62

mp62

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 24 June 2006 - 09:34 AM

Panda Scan


Incident Status Location

Adware:adware/emediacodec Not disinfected C:\Documents and Settings\All Users\Desktop\Security Troubleshooting.url
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.2o7.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.com.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.peel.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.atwola.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ccbill.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.go.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.tickle.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mike\Cookies\mike@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mike\Cookies\mike@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mike\Cookies\mike@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mike\Cookies\mike@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mike\Cookies\mike@doubleclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mike\Cookies\mike@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mike\Cookies\mike@perf.overture[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mike\Cookies\mike@serving-sys[2].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Mike\Desktop\PopularScreenSaversFFSetup2.0.3.26.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mike\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mike\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\Mike\Local Settings\Temp\temp.fr6CA9\Spyware-Quake.exe
===============================================================
Trend Micro Before Cleaning:
===================================================================

ADWARE_OSKAEDUCATIONALSYSTEMS
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

ADWARE_ISTBAR
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware is a plugin that can monitor or manipulate a user's Internet activity, usually posing as a toolbar or a search aid in the Internet browser. It modifies the r...
Aliasnames: Adware-ISTBar (McAfee); Adware.Istbar (Symantec); Trojan-Downloader.JS.IstBar.k, Trojan-Downloader.JS.IstBar.ai (Kaspersky); Win32/Startpage.OU trojan, Win32/SillyDL.3328!Trojan, Win32/Startpage.JS trojan (CAV)
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

This adware is a plugin that can monitor or manipulate a user's Internet activity, usually posing as a toolbar or a search aid in the Internet browser. It modifies the registry to be able to run at every Windows startup.

It either has a deceptive, or it does not have, an End-User License Agreement (EULA).

This adware modifies Internet security settings (such as the Trusted and Restricted sites), as well as Internet browser settings (such as the start and search pages).

It adds unwanted shortcuts, favorites, or icons on the affected system or an Internet browser.

It also generates pop-up advertisements and has the ability to retrieve and install additional adware or spyware on the affected system.

Furthermore, this adware creates dial-up settings without a user's knowledge or consent.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

ADWARE_ZAPCHAST
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware generates pop-up advertisements.

Aliasnames: Trojan-Downloader.Win32.Zlob.IG (Ikarus)
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

This adware generates pop-up advertisements.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

ADWARE_FUNWEBPRODUCTS
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

TSPY_PUPER
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

SPYWARE_TRAK_VISLOG.210
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

ADWARE_BHO_MYWAY
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware is a plugin that can monitor or manipulate a user's Internet activity, usually posing as a toolbar or a search aid in the Internet browser.

Aliasnames: MySearch, Adware-MWS (NAI); AdWare.ToolBar.MyWay.B (Ikarus)
Platform: Windows
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

This adware is a plugin that can monitor or manipulate a user's Internet activity, usually posing as a toolbar or a search aid in the Internet browser.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

ADWARE_IBIS.WEBSEARCH
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware generates pop-up advertisements.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
This adware generates pop-up advertisements.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

DIALER_DIALERPLATFORM
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This dialer generates pop-up advertisements. It also creates dial-up settings without the user's permission or intervention.
Aliasnames: Win32/Porndial.G.Trojan (PestPatrol); Win32:Trojan-gen. Other (Alwil); Dialer.22.U (Grisoft)
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

This dialer generates pop-up advertisements. It also creates dial-up settings without the user's permission or intervention.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

ADW_WEBSEARCH.T
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware installs itself as a Browser Helper Object (BHO) to enable itself to run automatically whenever an Internet Explorer (IE) browser is opened. When an affected...
Aliasnames: no more aliase names known
Platform: Windows 95, 98, ME, NT, 2000, XP
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

This adware installs itself as a Browser Helper Object (BHO) to enable itself to run automatically whenever an Internet Explorer (IE) browser is opened. When an affected user inputs an invalid URL in the IE browser, the connection is redirected to the following search engine Web site:

http://www.mywebsearch.com/

It installs components, which include programs that display advertisements based on the user's Internet browsing habits.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_GRAYWARE
0 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

HTTP cookies
8 Detected
Cookies are generally used to save user-specific data from Internet transactions with a Web server via a browser. The cookies listed below are "profiling cookies" that are only used to monitor your Internet usage.
Cleanup options Remove all detected cookies
Select individual action for each detected cookie
Keep this cookieRemove this cookieCookiesThe cookies displayed here are classified as potentially malicious.ReasonThis column indicates the reason why cleanup failed.The system denied access to the cookieThe current pattern does not support removal
Detected vulnerabilities

ASP.NET Path Validation Vulnerability (887219)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft .NET Framework 1.0
Microsoft .NET Framework 1.1
Malware exploiting this vulnerability: unknown
A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. If a user is logged on with administrative p...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office Word 2003
Microsoft Word 2000
Microsoft Word 2002
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Works Suite 2004
Malware exploiting this vulnerability: unknown
This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges.
More information about this vulnerability and its elimination.

Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system. A vulnerability that exi...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Exchange 2000 Server Service Pack 3
Microsoft Exchange Server 5.0 Service Pack 2
Microsoft Exchange Server 5.5 Service Pack 4
Microsoft Office 2000
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003
Microsoft Office 2003 Service Pack 1
Microsoft Office XP
Microsoft Office XP Service Pack 3
Microsoft Outlook 2000
Microsoft Outlook 2002
Malware exploiting this vulnerability: unknown
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system. A vulnerability that exists in Microsoft Outlook and Microsoft Exchange Server allows remote code execution because of the way they decode the Transport Neutral Encapsulation Format (TNEF) in the MIME attachment.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
If a user is logged on with administrative user rights on vulnerable versions of Microsoft Office, a malicious user who successfully exploits this vulnerability may take com...
==================================================================
Trend Micro After Cleaning:
==================================================================
Detected grayware/spyware

Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem, please click here. Grayware specific information is available from the relevant grayware section.

ADWARE_IBIS.WEBSEARCH
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware generates pop-up advertisements.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
This adware generates pop-up advertisements.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_GRAYWARE
0 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
Detected vulnerabilities

ASP.NET Path Validation Vulnerability (887219)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft .NET Framework 1.0
Microsoft .NET Framework 1.1
Malware exploiting this vulnerability: unknown
A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. If a user is logged on with administrative p...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office Word 2003
Microsoft Word 2000
Microsoft Word 2002
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Works Suite 2004
Malware exploiting this vulnerability: unknown
This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges.
More information about this vulnerability and its elimination.

Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system. A vulnerability that exi...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Exchange 2000 Server Service Pack 3
Microsoft Exchange Server 5.0 Service Pack 2
Microsoft Exchange Server 5.5 Service Pack 4
Microsoft Office 2000
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003
Microsoft Office 2003 Service Pack 1
Microsoft Office XP
Microsoft Office XP Service Pack 3
Microsoft Outlook 2000
Microsoft Outlook 2002
Malware exploiting this vulnerability: unknown
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system. A vulnerability that exists in Microsoft Outlook and Microsoft Exchange Server allows remote code execution because of the way they decode the Transport Neutral Encapsulation Format (TNEF) in the MIME attachment.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
If a user is logged on with administrative user rights on vulnerable versions of Microsoft Office, a malicious user who successfully exploits this vulnerability may take com...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Excel 2004 for Mac
Microsoft Excel X for Mac
Microsoft Office 2000 Multilingual User Interface Packs
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP Multilingual User Interface Packs
Microsoft Office XP Service Pack 3
Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Word 2000
Microsoft Word 2002
Microsoft Works Suite 2000
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Malware exploiting this vulnerability: unknown
If a user is logged on with administrative user rights on vulnerable versions of Microsoft Office, a malicious user who successfully exploits this vulnerability may take complete control of the client workstation. The malicious user may then install programs; view, change, or delete data; or create new accounts with full user rights. Users with fewer user rights on the system based on their accounts could be less impacted than users with administrative user rights.
More information about this vulnerability and its elimination.
TITLE_OF_VULNERABILITY

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.
Port: is accessible

Transfering more information about this port...
An error occured while trying to retrieve more information about this port. There is currently no more information available.
Standard services over this port: Unknown
Malware exploiting this port: Unknown
Clean now » Removes all infections found on your machine, according to the options selected.

#19 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 26 June 2006 - 04:25 AM

Hello mp62,

Thank you for the scans. I am not sure what Trend Micro cleaned. But let's do this.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

=========================
Don't know if this was removed or not.
MyWay Removal
Open ‘Add/Remove Programs’ in the Control Panel.
  • Select the ‘My Search Bar’ (MySearch variant), ‘MyWay Speed Bar’ (MyWay) or ‘My Web Search Bar’ (MyWeb) entry
  • Click ‘Remove’.
  • For the MyWeb variant, be sure to also remove ‘Fun Web Products Easy Installer’
  • Open My Computer, Drive C, and double-click on the Program Files folder
  • Right-click and delete the folders for:
    FunWebProducts
    MyWebSearch
Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Maybe these files were cleaned and do not exist anymore but please do this and check.
Using Windows Explorer, locate the following files/folders (if they exist), and delete them:
C:\Documents and Settings\All Users\Desktop\Security Troubleshooting.url<=file
C:\Documents and Settings\Mike\Desktop\PopularScreenSaversFFSetup2.0.3.26.exe<=file
C:\Documents and Settings\Mike\Local Settings\Temp\temp.fr6CA9\Spyware-Quake.exe<=file
Exit Explorer, and reboot as normal afterwards.

Please go ahead and repeat the Panda scan and the Trend Micro and reply with the results. Let's see if there are differences in results.

Also please post (reply) with a hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#20 mp62

mp62

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 26 June 2006 - 08:47 PM

Panda Scan June 26

Incident Status Location

Adware:adware/emediacodec Not disinfected c:\program files\Media-Codec
Potentially unwanted tool:application/funweb Not disinfected hkey_current_user\software\Fun Web Products
Adware:adware/powerscan Not disinfected Windows Registry
Adware:adware/surfaccuracy Not disinfected Windows Registry
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.com.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.belnk.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.sexlist.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.peel.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.atwola.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ccbill.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\9wnm0pz8.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mike\Cookies\mike@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mike\Cookies\mike@mediaplex[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mike\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mike\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16B.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17A.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17A9.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq182.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq188.tmp
Spyware:Cookie/Hypercount Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A6B.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAD45.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAD47.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAD49.tmp
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-1417001333-1303643608-839522115-1003\Dc2.exe
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Virus:Trj/Brospy.D Disinfected Local Folders\Inbox\YOUR ACCOUNT LIMITED\PE-901-449-020.jpg.exe
Virus:Trj/Tixeno.A Disinfected Local Folders\Inbox\YOUR ACCOUNT LIMITED\PE-901-449-020.jpg.exe

Cleaned cookies and deleted files before running Trend Micro, which follows.
============================================================

Trend Micro Results June 26

Detected vulnerabilities

ASP.NET Path Validation Vulnerability (887219)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft .NET Framework 1.0
Microsoft .NET Framework 1.1
Malware exploiting this vulnerability: unknown
A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. If a user is logged on with administrative p...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office Word 2003
Microsoft Word 2000
Microsoft Word 2002
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Works Suite 2004
Malware exploiting this vulnerability: unknown
This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges.
More information about this vulnerability and its elimination.

Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system. A vulnerability that exi...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Exchange 2000 Server Service Pack 3
Microsoft Exchange Server 5.0 Service Pack 2
Microsoft Exchange Server 5.5 Service Pack 4
Microsoft Office 2000
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003
Microsoft Office 2003 Service Pack 1
Microsoft Office XP
Microsoft Office XP Service Pack 3
Microsoft Outlook 2000
Microsoft Outlook 2002
Malware exploiting this vulnerability: unknown
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system. A vulnerability that exists in Microsoft Outlook and Microsoft Exchange Server allows remote code execution because of the way they decode the Transport Neutral Encapsulation Format (TNEF) in the MIME attachment.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
If a user is logged on with administrative user rights on vulnerable versions of Microsoft Office, a malicious user who successfully exploits this vulnerability may take com...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Excel 2004 for Mac
Microsoft Excel X for Mac
Microsoft Office 2000 Multilingual User Interface Packs
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP Multilingual User Interface Packs
Microsoft Office XP Service Pack 3
Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Word 2000
Microsoft Word 2002
Microsoft Works Suite 2000
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Malware exploiting this vulnerability: unknown
If a user is logged on with administrative user rights on vulnerable versions of Microsoft Office, a malicious user who successfully exploits this vulnerability may take complete control of the client workstation. The malicious user may then install programs; view, change, or delete data; or create new accounts with full user rights. Users with fewer user rights on the system based on their accounts could be less impacted than users with administrative user rights.
More information about this vulnerability and its elimination.
=================================================================

Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 10:36:42 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O3 - Toolbar: Video Professor Stay on Top - {56879C4B-B0B1-447C-9FDF-259F70BE9F76} - C:\Program Files\VideoProfessorStayOnTop\VPExplorerExtensions.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {701DC9DC-ACD5-4E94-85E3-F3F1ED68611A} (CWebClientCtl Object) - http://download.palt...ebclientctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} (PhaseCaster Widget) - http://www.streamerp...iles/phasex.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

#21 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 27 June 2006 - 08:52 AM

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
c:\program files\Media-Codec

Exit Explorer,
Empty your recycle bin
reboot as normal afterwards.

STEP 1.
======
Regscan

Please download RegScan.
Within RegScan.zip you will find the file regscan.vbs
You may have to allow this script to run or disable anti-spyware again in order for it to run.
A window will open titled RegFinder.vbs and you will see place to input search terms.
Please enter the search terms:
powerscan
After the search has completed a window titled Results.txt will open.
Please save the results and post in your next reply.

Please repeat the above for the following search terms:
Surfaccuracy
Fun Web Products


Please show all files for your system.
You will need to reverse this process when all steps are done.


Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\WINDOWS\system32\Tools\Restart.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

Please post (reply) with the results from the regscans, and Jotti.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#22 mp62

mp62

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 29 June 2006 - 04:53 AM

I did not find C:\Program Files\Media-Codec in Explorer. Regscan No matches to your search terms: "powerscan" were found. the search took 33 seconds. No matches to your search terms: "Surfaccuracy" were found. the search took 26 seconds. Windows Registry Editor Version 5.00 ; Regscan.vbs Version: 1.2 by rand1038 ; 6/28/2006 8:50:28 PM ; Search Term(s) Used: "Fun Web Products" ; 22 matches were found. ; The search took 23 seconds. [HKEY_USERS\.DEFAULT\Software\Fun Web Products] [HKEY_USERS\.DEFAULT\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-19\Software\Fun Web Products] [HKEY_USERS\S-1-5-19\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-19\Software\Classes\Software\Fun Web Products] [HKEY_USERS\S-1-5-19\Software\Classes\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-19_Classes\Software\Fun Web Products] [HKEY_USERS\S-1-5-19_Classes\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-20\Software\Fun Web Products] [HKEY_USERS\S-1-5-20\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-20\Software\Classes\Software\Fun Web Products] [HKEY_USERS\S-1-5-20\Software\Classes\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-20_Classes\Software\Fun Web Products] [HKEY_USERS\S-1-5-20_Classes\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003\Software\Fun Web Products] [HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003\Software\Classes\Software\Fun Web Products] [HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003\Software\Classes\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003_Classes\Software\Fun Web Products] [HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003_Classes\Software\Fun Web Products\ScreenSaver] [HKEY_USERS\S-1-5-18\Software\Fun Web Products] [HKEY_USERS\S-1-5-18\Software\Fun Web Products\ScreenSaver] I was unsure what to do with this part of the instructions, under Regscan "You will need to reverse this process when all steps are done." Jotti Service load: 0% 100% File: Restart.exe Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.) MD5 eb1b125ee5d2022cbf5e2f7226f47638 Packers detected: - Scanner results AntiVir Found SecurityPrivacyRisk/Destart.A riskware ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found HackerTool/Rebootah Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing Properties of C:\Windows\system32\tools\restart.exe File version: 1.0.1.3 Description: Restart Conuter ( not a typo, this is what it shows ) Copyright: Copyright© Liter Liu 2002

#23 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 29 June 2006 - 06:20 AM

Thank you for the results. I meant to delete the following but evidently did not. "You will need to reverse this process when all steps are done." I will need to prepare some regsitry fixes which will be reviewed before I reply. Thank you for your patience.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#24 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 30 June 2006 - 06:32 PM

STEP 1.
======
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe
==========================
Then, go to start-->run

and type this in:
notepad

Paste this into the box:

REGEDIT4

[-HKEY_USERS\.DEFAULT\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-19\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-19\Software\Classes\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-19_Classes\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-20\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-20\Software\Classes\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-20_Classes\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003\Software\Classes\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-21-1417001333-1303643608-839522115-1003_Classes\Software\Fun Web Products]

[-HKEY_USERS\S-1-5-18\Software\Fun Web Products]

Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file
**

Now double click on regfix.reg and insert it into the registry.

Please do the Regscan again so we can check the registry

Use the search term:
Fun Web Products

Please delete the following file
C:\Windows\system32\tools\restart.exe<=file

Please reply with results from Regscan and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#25 mp62

mp62

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 30 June 2006 - 09:05 PM

Regscan:

No match to your search terms: "Fun web products" were found. The search took 47 seconds.

Logfile of HijackThis v1.99.1
Scan saved at 10:50:47 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\ABC\ABC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O3 - Toolbar: Video Professor Stay on Top - {56879C4B-B0B1-447C-9FDF-259F70BE9F76} - C:\Program Files\VideoProfessorStayOnTop\VPExplorerExtensions.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {701DC9DC-ACD5-4E94-85E3-F3F1ED68611A} (CWebClientCtl Object) - http://download.palt...ebclientctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} (PhaseCaster Widget) - http://www.streamerp...iles/phasex.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    Advertisements

Register to Remove


#26 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 01 July 2006 - 02:05 AM

Congratulations mp62,

Your log appears to be clean. Please do the following:

Be sure and go to the Microsoft Update site and update all your Microsoft applications in addition to Windows so that you have the latest security patches. The Trend Micro scan indicated that there were some vulnerabilities present.
Also your Java is not up-to-date.

Uninstall Microsoft Antispyware and replace it with Microsoft Windows Defender. Microsoft Antispyware has been updated and renamed Microsoft Windows Defender. You can download the new version from http://www.microsoft...re/default.mspx


STEP 1.
======
Cleanmgr
To clean temporary files:
  • Go > start > run and type cleanmgr and click OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.
STEP 2.( Windows XP only)
======
Prefetch Folder
Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder

STEP 3.
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

STEP 4.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  • Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update your Java to the latest version. Uninstall any and all versions you have listed in add/remove programs and install the latest version from here:
    Java Software Java Runtime Environment Version 5.0 Update 7
    http://www.java.com/...windows_xpi.jsp

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • More info on how to prevent malware you can also find here (By Tony Klein)
Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#27 mp62

mp62

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 July 2006 - 05:36 PM

Thanks for your patience and help Susan! I can't tell you how much I appreciate it! Mike

#28 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 05 July 2006 - 06:04 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users