Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan and pop-ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan and pop-ups

Unread postby Myriddan » December 5th, 2005, 12:10 am

Norton keeps finding a trojan called st3.dll but cannot delete, and if I quarantine it it just keeps popping back up...I'm also getting pop-ups and computer seems to be running slower than normal

Logfile of HijackThis v1.99.1
Scan saved at 11:25:49 AM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLServiceHost.exe
c:\program files\common files\aol\1133491950\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLServiceHost.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\system32\ntvdm.exe
F:\Games\Square Soft, Inc\Final Fantasy VII\cdcheck.exe
F:\Games\Square Soft, Inc\Final Fantasy VII\cdcheck.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll
O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dll
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll
(file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1
\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program
Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Programs\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133491950\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [i2hub] F:\Programs\i2hubV2\i2hub.exe -tray
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL
Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05
\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt3_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} - http://www.funnytaf.com/fun/installer/Install.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) -
http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -
http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
https://objects.aol.com/mcafee/molbin/s ... insctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) -
http://content.ancestry.com/asfiles/fil ... ImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) -
http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) -
http://www.cramster.com/RightsServer/Cl ... leOpen.CAB
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -
http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D8F595EF-81B1-47A5-8CC4-F7DA44B5FF64} (ImagePreview Class) -
http://images.ancestry.com/asfiles/file ... ImgVwr.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) -
http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft
Shared\Help\hxds.dll
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common
Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common
Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32
\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc -
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -
C:\WINDOWS\wanmpsvc.exe
Myriddan
Regular Member
 
Posts: 24
Joined: December 5th, 2005, 12:07 am
Advertisement
Register to Remove

Unread postby AndyAtHull » December 5th, 2005, 6:09 am

Hi Myriddan. I will be helping you with your log. It may take some time to research it. Please be patient. If anything else happens reply to this thread only

Kind Regards AndyAtHull :D
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby AndyAtHull » December 6th, 2005, 4:49 pm

Hi and welcome to the MR board.

I'm Andy and I am going to try to help you with your problem. Please take note of five things.


  1. I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine
  3. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  4. If you don't know, stop and ask! Don't keep going on.
  5. Please reply to this thread. Do not start a new topic.

----------

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

----------

Please note that as long as you're using any form of peer-to-peer networking and downloading files from non-documented sources, the cleanliness of which has not been verified, you can expect infestations of malware to occur. This has not always been the case, and once upon a time was fairly safe. This can no longer be said for peer-to-peer filesharing. You may continue to do so at your own risk but cannot rely upon someone always being able to clean up your system and bail you out of trouble. This practice is in all probability the source of your current malware infestation.

For comprehensive information and comparisons of P2P programs, you may want to read this linked information: http://www.benedelman.org/spyware/p2p/

----------

What I would like you to do next is to remove some bad files from Add/Remove. Click on Start>Control Panel>Add/Remove. And uninstall these following programs.
(Note: If some programs listed below are not present, please do not panic)

WildTangent or WildTangent CDA
BestPopUpKiller
Spykiller

I would strongly recommend you to remove the following appilcations:

i2hub
PartyPoker

Be carefull when uninstalling software. Look at the names carefully as it may catch you out.

----------

Next I would like you to download a few things:

Download
win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil. And leave it for now.

Download CWShredder from HERE and leave it on the desktop for later use.

Download Lavasoft Ad-Ware from Here. Install it and leave it for now.

And download Spybot S&D from HERE. Again install it and leave for now.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

----------

If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:

  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed.
3) To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.


If you already have Spybot S&D, please configure it as indicated below. If you have a previous version of SpyBot, please uninstall your current version and install the newest version 1.4

Setting up Spybot S&D

1. In the Menu Bar at the top of the Spybot window you will see 'Mode. Make certain that 'default mode' has a check mark beside it.
2. Close ALL windows except Spybot S&D
3. Click the button to ‘Search for Updates’ then download and install the Updates.
4. Next click the button ‘Check for Problems'
5. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window.
6. Make certain there is a check mark beside all of the RED entries ONLY.
7. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
8. REBOOT to complete the scan and clear memory.


----------

Please disconnect from the Internet and unplug your modem for the duration of this fix

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in Safe Mode.

----------

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

----------

Remaining in safe mode. With no other windows open. Please Run Ewido

1. Click on scanner.
2. Click on Complete System Scan, the scan will now begin.
3. While the scan is in progress you will be promted to clean files, click OK.
4. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
5. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
6. Click Save Report.
7. Now save the report .txt file to your desktop.

Please note that you should leave the computer alone when Ewido is scanning untill it is finished

----------

Restart into normal mode and follow this:

Close all windows, open the win32delfkil folder on the desktop and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c:\windelf.txt.

----------

Now I would like you to run an online scan, from here http://housecall.trendmicro.com/. Click on "Scan now It's free" then "Please Select your Location" and press on go. The "Start Free Scan" and "Complete Scan". Make sure no windows are open apart from the Trend Mirco page and the scanning page during this scan. And to note down any infections, spyware or vunrabillities it brings up and save it in a .txt file from notepad.

----------

Post back with a fresh HJT log, a log from the Ewido scan, the log from windelf.txt. And any finds Trend Micro found. With Spybot and Ad-Ware you don not have to post back their findings ;)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby Myriddan » December 7th, 2005, 12:28 am

None of the programs were listed in my add/remove programs list (a couple I removed before but I guess there might be traces left behind in the system)

Logfile of HijackThis v1.99.1
Scan saved at 8:22:07 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLServiceHost.exe
c:\program files\common files\aol\1133491950\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLServiceHost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1

\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133491950\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Programs\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [i2hub] F:\Programs\i2hubV2\i2hub.exe -tray
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05

\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft

Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt3_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} - http://www.funnytaf.com/fun/installer/Install.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) -

http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

https://objects.aol.com/mcafee/molbin/s ... insctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) -

http://content.ancestry.com/asfiles/fil ... ImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) -

http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) -

http://www.cramster.com/RightsServer/Cl ... leOpen.CAB
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -

http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D8F595EF-81B1-47A5-8CC4-F7DA44B5FF64} (ImagePreview Class) -

http://images.ancestry.com/asfiles/file ... ImgVwr.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) -

http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft

Shared\Help\hxds.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common

Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32

\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32

\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:23:28 PM, 12/6/2005
+ Report-Checksum: 44F17A79

+ Scan result:

HKLM\SOFTWARE\AKSoft -> Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-3942531886-953129233-1774555873-1006\Software\CashFiesta -> Spyware.CashFiesta : Cleaned with backup
HKU\S-1-5-21-3942531886-953129233-1774555873-1006\Software\CashFiesta\Cashfiesta -> Spyware.CashFiesta : Cleaned with backup
HKU\S-1-5-21-3942531886-953129233-1774555873-1006\Software\CashFiesta\Cashfiesta\Config -> Spyware.CashFiesta : Cleaned with backup
HKU\S-1-5-21-3942531886-953129233-1774555873-1006\Software\CashFiesta\Cashfiesta\Install -> Spyware.CashFiesta : Cleaned with backup
HKU\S-1-5-21-3942531886-953129233-1774555873-1006\Software\CashFiesta\Cashfiesta\Update -> Spyware.CashFiesta : Cleaned with backup
HKU\S-1-5-21-3942531886-953129233-1774555873-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
[312] C:\WINDOWS\system32\st3.dll -> Downloader.Delf.h : Cleaned with backup
[844] C:\WINDOWS\system32\st3.dll -> Downloader.Delf.h : Error during cleaning
C:\Documents and Settings\Alicia\Cookies\alicia@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Alicia\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Cleaned with backup
C:\Documents and Settings\Earl\Cookies\earl@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Earl\Cookies\earl@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@banner.paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@cbs.112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@linkbuddies[1].txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@news.com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@popunder.paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Eric\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0C.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Eric\Local Settings\Application Data\Wildtangent\Cdacache\00\00\4E.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@ads.trafficvenue[1].txt -> Spyware.Cookie.Trafficvenue : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@trafficvenue[1].txt -> Spyware.Cookie.Trafficvenue : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\ELH236X4\dotreg3[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\FileSubmit\3 Dragons\nnez_388.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1392\A0255486.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1392\A0255488.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1392\A0255489.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1392\A0255490.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1398\A0256589.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\adsldpbe.dll -> Downloader.Delf.lh : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\NDNuninstall5_40.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\q104495656.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q108095375.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q115296656.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q11617500.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q118897109.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q126098796.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q133299859.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q136900390.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q144101562.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q14468375.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q14472265.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q151302703.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q15218156.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q158503843.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q165705015.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q172906359.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q176506843.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q18072875.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q183708031.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q18818953.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q190909203.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q194509703.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q198110218.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q205311453.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q208912062.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q216113218.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q21670203.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q219713687.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q226914828.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q230515343.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q237716484.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q241316984.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q248517828.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q25274734.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q259319656.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q26020265.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q270120859.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q273721343.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q280924171.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q284523671.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q288124500.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q28872296.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q291725031.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q295325531.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q29620921.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q298926203.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q302527109.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q306127609.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q313329000.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q316929515.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q320530359.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q324132062.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q32475156.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q32477703.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q331333812.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q33221750.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q334934734.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q338535593.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q345736796.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q349337296.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q352938156.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q36076406.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q36079187.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q3661828.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q3668453.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q40443750.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q43278156.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q43282156.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q461545562.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q468747234.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q475949140.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q479550093.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q486752015.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q493953968.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q497554828.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q504756890.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q50480031.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q50484984.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q511958890.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q515559859.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q522761937.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q529964015.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q533564937.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q540766875.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q547989296.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q551590171.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q558792093.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q562393125.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q569595062.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q576796953.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q57681578.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q57688000.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q580397890.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q587600109.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q594801875.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q598403171.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q605604796.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q609205734.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q612806625.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q620008609.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q64882750.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q64891859.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q68483265.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q7262843.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q7270125.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q75684406.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q8016468.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q82886296.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q86486781.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q93687953.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\q97288531.dll -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\SYSTEM32\adsldpbe.dll -> Downloader.Delf.lh : Cleaned with backup
C:\WINDOWS\SYSTEM32\st3.dll -> Downloader.Delf.h : Cleaned with backup


::Report End


************************
* WIN32DELFKIL LOGFILE *
************************


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} REG_SZ st3
{16875E09-927B-4494-82BD-158A1CD46BA0} REG_SZ z

Notify key
----------
subkey st3 is present!
subkey gs is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

Notify key
----------



Housecall vulnerabilities:

(MS04-028) Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability lies in the way the affected components, as listed below, process JPEG image files. An unchecked buffer within this process is the cause o...
More information about this vulnerability and its elimination.
Myriddan
Regular Member
 
Posts: 24
Joined: December 5th, 2005, 12:07 am

Unread postby AndyAtHull » December 7th, 2005, 5:51 pm

Thank you Myriddan for the logs.

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

----------

I still see entries in the HJT log to do with SpyKiller. The PopUpKiller is from the same company that makes SpyKiller. SpyKiller and BestPopUpKiller are on on SpywareWarrior's Rogue/Suspect list. Therefore we recommended to remove these applications. Click HERE for more details.

----------

Regarding the Tend Micro vulnerabilitie. There is more information about it HERE. And HERE.

Updating your computer at Microsoft should clear the vulnerabilitie. Click HERE. Once loaded up click on Express. Let it check. Once done. Install every update available. Including Office Service pack 3 if available.

----------

You are also using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6 .

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software.

Or you can get the manual download here:

Once you have installed the latest update, please go to Add/Remove Programs and remove all older instances of Java listed there.

----------

Update Ewido:

1 You will need to update ewido to the latest definition files:

* On the left hand side of the main screen click update.
* Then click on Start Update.


2 The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")

Do not run ewido yet

----------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\\SOFTWARE\ and delete Altnet

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

----------

Please disconnect from the Internet and unplug your modem for the duration of this fix

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in Safe Mode.

----------

Run HJT and place a check mark next to the following:

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [i2hub] F:\Programs\i2hubV2\i2hub.exe -tray
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) -
http://www.cramster.com/RightsServer/Cl ... leOpen.CAB


Make sure every other window is close apart from HJT and click on fix.

----------

Staying in Safe Mode:

Some folders may not have gone even after the HJT fix we carried out. So please look for these folders and delete them:
Navigate to these folders in RED. Use Find (F3) or Start>Search>Delete these folders, if present:

Folders...

C:\Program Files\SpyKiller
C:\Program Files\PartyPoker
C:\Program Files\BestPopUpKiller
F:\Programs\i2hubV2

If you have any problems deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the filename is in there, click End Process, then retry delete.
(Note the name and location of any file you cannot delete.)

----------

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

----------

Staying in safe mode. With no other windows open. Please Run Ewido

1. Click on scanner.
2. Click on Complete System Scan, the scan will now begin.
3. While the scan is in progress you will be promted to clean files, click OK.
4. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
5. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
6. Click Save Report.
7. Now save the report .txt file to your desktop.

Please note that you should leave the computer alone when Ewido is scanning untill it is finished

----------
Rastart your computer into normal mode
----------

Now I would like you to run an online scan, from here http://housecall.trendmicro.com/. Click on "Scan now It's free" then "Please Select your Location" and press on go. The "Start Free Scan" and "Complete Scan". Make sure no windows are open apart from the Trend Mirco page and the scanning page during this scan. And to note down any infections, spyware or vunrabillities it brings up and save it in a .txt file from notepad.

----------

Post back with a fresh HJT log, a log from the Ewido scan. And any finds Trend Micro found. ;)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby Myriddan » December 7th, 2005, 7:54 pm

Couldn't get the office service pack 3 update since it was asking for a CD in order to update that I don't currently have with me, also I cannot delete the registry entry for altnet even after following all your directions.

Updated Java and Ewido successfully, will finish the rest of the stuff after I finish my work (might run the scan tonight since it takes something like 4-5 hours to look through all my files and I need my computer to do my work at the moment)
Myriddan
Regular Member
 
Posts: 24
Joined: December 5th, 2005, 12:07 am

Unread postby AndyAtHull » December 7th, 2005, 7:59 pm

Ok Myriddan,

No problem. When ever you have the time to do the scans I will be here to help ;)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby Myriddan » December 10th, 2005, 4:25 pm

The Trend Micro scan keeps freezing when its checking for vulnerabilities, so do you want me to just post the HJT log and Ewido scan?
Myriddan
Regular Member
 
Posts: 24
Joined: December 5th, 2005, 12:07 am

Unread postby AndyAtHull » December 10th, 2005, 4:27 pm

Yes please My Riddan :D
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby Myriddan » December 10th, 2005, 5:19 pm

Logfile of HijackThis v1.99.1
Scan saved at 1:18:04 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Programs\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLServiceHost.exe
c:\program files\common files\aol\1133491950\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1

\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133491950\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Programs\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft

Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt3_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} - http://www.funnytaf.com/fun/installer/Install.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) -

http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

https://objects.aol.com/mcafee/molbin/s ... insctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... 3998590875
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) -

http://content.ancestry.com/asfiles/fil ... ImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -

http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D8F595EF-81B1-47A5-8CC4-F7DA44B5FF64} (ImagePreview Class) -

http://images.ancestry.com/asfiles/file ... ImgVwr.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) -

http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft

Shared\Help\hxds.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common

Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32

\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32

\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe


Ewido Scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:35:41 AM, 12/9/2005
+ Report-Checksum: 3CE32818

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
:mozilla.6:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1398\A0256603.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1398\A0256605.dll -> Downloader.Delf.lh : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1398\A0256606.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1398\A0256607.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1398\A0256719.dll -> Downloader.Delf.lh : Cleaned with backup


::Report End
Myriddan
Regular Member
 
Posts: 24
Joined: December 5th, 2005, 12:07 am

Unread postby AndyAtHull » December 11th, 2005, 7:55 am

Hi Myriddan thank you for the logs.

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

----------

Looking at the Ewido log, we still seem to have trouble with Altnet.

Before we go any further, please back up your registry(<--Click here) and make sure that you understand how to restore your registry 'just in case'. You need to back it up before continiuing.

----------

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]



Save it to your desktop as Fixme.reg. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.

----------

Navigate to C:\Windows\Prefetch. In Prefetch remove all files. Do not delete the folder itself.

----------

I understand your frustration at Ewido taking a long time to scan. That could be one of several reasons. You may be heavly infected or there is some junk that can be cleaned up and is not needed. To speed up running anti-virus scans I would like you to install Ccleaner. The removes any junk that may be slowing the computer down.

Download Ccleaner from HERE

1. Double click on the file to start the installation of the program.
2. Select your language and click OK, then next.
3. Read the license agreement and click I Agree.
4. Click next to use the default install location. Click Install then finish to complete installation.
5. Double click the CCleaner shortcut on the desktop to start the program.
6. On the "Windows" tab, under "Internet Explorer", uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
7. If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
8. Click on "Options" at the top of the window, then click on the "advanced" button.
9. Deselect "Only delete files in Windows Temp folders older than 48 hours". Click on "OK".
10.Click Run Cleaner to run the program.

Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.

After CCleaner has completed its process, click Exit.

..........

Update Ewido:

1 You will need to update ewido to the latest definition files:

* On the left hand side of the main screen click update.
* Then click on Start Update.


2 The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")

Do not run ewido yet

----------

Please disconnect from the Internet and unplug your modem for the duration of this fix

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in Safe Mode.

----------

With no other windows open. Please Run Ewido

1. Click on scanner.
2. Click on Complete System Scan, the scan will now begin.
3. While the scan is in progress you will be promted to clean files, click OK.
4. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
5. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
6. Click Save Report.
7. Now save the report .txt file to your desktop.

Please note that you should leave the computer alone when Ewido is scanning untill it is finished

----------
Restart your computer into normal mode
----------

Let't try Panda instead

Run Panda's ActiveScan from here and perform a full system scan.

1. Once you are on the Panda site click the "Scan your PC" button
2. A new window will open...click the big "Check Now" button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
10. Click on "Local Disks" to start the scan
11. Post Panda scan results in your next reply

----------

In your next reply I would like:

A fresh HJT log
Fresh Ewido log
Anything Panda finds
And please tell me how your system is running ;)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby Myriddan » December 11th, 2005, 7:18 pm

Computer still seems to be running a little slow, no pop ups anymore though

Logfile of HijackThis v1.99.1
Scan saved at 3:14:34 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
F:\Programs\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLServiceHost.exe
C:\Program Files\AIM\aim.exe
c:\program files\common files\aol\1133491950\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133491950\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133491950\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Programs\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt3_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} - http://www.funnytaf.com/fun/installer/Install.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/s ... insctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3998590875
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/fil ... ImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D8F595EF-81B1-47A5-8CC4-F7DA44B5FF64} (ImagePreview Class) - http://images.ancestry.com/asfiles/file ... ImgVwr.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:21:33 PM, 12/11/2005
+ Report-Checksum: BD8BA151

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
:mozilla.9:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\xuq1hnwl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@ehg-foxsports.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@ehg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup


::Report End


Panda:
Incident Status Location

Adware:Adware/Exact.BargainBuddyNot disinfected C:\Documents and Settings\Earl\Local Settings\Temporary Internet Files\Content.IE5\2LB4PGFQ\marketing48[1].html
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Earl\Local Settings\Temporary Internet Files\Content.IE5\2LB4PGFQ\sponsor[1].html
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Earl\Local Settings\Temporary Internet Files\Content.IE5\6JKCMWOG\11[2]
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Earl\Local Settings\Temporary Internet Files\Content.IE5\6JKCMWOG\CAH1D2MH.HTM
Adware:Adware/Exact.BargainBuddyNot disinfected C:\Documents and Settings\Earl\Local Settings\Temporary Internet Files\Content.IE5\FJPJRDWW\marketing61[1].html
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Earl\Local Settings\Temporary Internet Files\Content.IE5\JO3MQH2B\mtrslib2[1].js
Adware:Adware/Exact.BargainBuddyNot disinfected C:\Documents and Settings\Earl\Local Settings\Temporary Internet Files\Content.IE5\WNVRUCP1\CAE1QDGT.HTM
Adware:adware/quicksearch Not disinfected C:\WINDOWS\Downloaded Program Files\Install.inf
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\eSearchBar\exactSetup.exe
Adware:Adware/SearchNo Not disinfected C:\WINDOWS\prflbmsgp32.dll
Myriddan
Regular Member
 
Posts: 24
Joined: December 5th, 2005, 12:07 am

Unread postby AndyAtHull » December 11th, 2005, 7:42 pm

Before I go ahead with fresh instructions. Did you carry out this instruction?

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]



Save it to your desktop as Fixme.reg. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.


I would like to know. Because Altnet is still lurking about. And if you did carry it out. I can give you other instructions for this.

Regards, Andy
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby Myriddan » December 11th, 2005, 8:29 pm

Yes I did create the registry file and merge it
Myriddan
Regular Member
 
Posts: 24
Joined: December 5th, 2005, 12:07 am

Unread postby AndyAtHull » December 11th, 2005, 10:08 pm

Hi Myriddan,

Are there any other accounts created on your computer? This is vital information I need. So Please let me know.

----------

Reveal Hidden Files

  1. Click Start.
  2. Open My Computer.
  3. SelectTools menu
  4. Click Folder Options.
  5. Select the View Tab.
  6. Select Show hidden files and foldersin the Hidden files and folders section.
  7. Uncheck Hide protected operating system files (recommended) option.
  8. Uncheck the Hide file extensions for known file types option.
  9. Click Yes.
  10. Click OK.

----------

Navigate to the C:\Windows and delete the File and Folder in Red.

C:\WINDOWS\prflbmsgp32.dll <-- This file

C:\WINDOWS\eSearchBar <-- This folder

----------

The entry in HJT i will ask you to fix is not malware, but it is known to cause system slowdowns because it's constantly searching for Office documents, etc.

Run HJT and place a check mark next to the following:

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Then with all windows other than HJT closed. Click on Fix.

----------

Let's run Ccleaner again

1. Double click the CCleaner shortcut on the desktop to start the program.
2. On the "Windows" tab, under "Internet Explorer", uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
3. If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
4. Click on "Options" at the top of the window, then click on the "advanced" button.
5. Deselect "Only delete files in Windows Temp folders older than 48 hours". Click on "OK".
6.Click Run Cleaner to run the program.

Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.

After CCleaner has completed its process, click Exit.

----------

Hide System Files

  1. Click Start.
  2. Open My Computer.
  3. SelectTools menu
  4. Click Folder Options.
  5. Select the View Tab.
  6. Uncheck Show hidden files and foldersin the Hidden files and folders section.
  7. Select Hide protected operating system files (recommended) option.
  8. Check the Hide file extensions for known file types option.
  9. Click Yes.
  10. Click OK.

----------

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

----------
Restart your computer
----------

Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.

----------

Run an online virus scan called Kapersky from HERE.

1. Click on "Kapersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kapersky will update the anti-virus database. Let it run.
4. Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. Once finished, save a log as "Text" to the desktop. And restart.


----------

I would like to have a uninstall_list from HJT. Open up HijackThis. Click on Open Misc Tools section, then click on Open Uninstall manager. Then click on Save list to the right and save it to the desktop. It will save as uninstall_list.

----------

In your next reply I would like:

A fesh HJT log.
uninstall_list.
A log from Kapersky.
And please tell me if any other accounts have been created on your system.

You can post more than one reply if the logs are too long and don't fit. ;)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 65 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware